![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/salem_logo.svg\"){kind=logo}
",
+ "Description": "Salem, [AI Cyber analyst](https://salemcyber.com), **automatically investigates** Microsoft Sentinel alerts and escalates validated threats that require your attention. \n\nThis Microsoft Sentinel integration allows you to send new Microsoft Sentinel alerts to Salem for analysis and reporting.\n\n**Why Salem?** \n\nMost alerts are false positives. Salem automatically triages noisy cyber alerts to find a small number of threats that require your attention. \n\nSalem scales the impact of your cyber team by helping you respond well 24/7 to a wide range of security threats. \n\nSalem's AI learns from your team and customizes its analysis to your cyber relevant business context. \n\n**Get Started with Salem** \n\nYou can find and install Salem, AI cyber analyst in the [Azure Marketplace](https%3A%2F%2Fazuremarketplace.microsoft.com%2Fen-us%2Fmarketplace%2Fapps%2Fsaleminc1627928803559.salemcyber%3Ftab%3DOverview)",
+ "Workbooks": ["Solutions/SalemCyber/Workbooks/SalemDashboard.json"],
+
+ "WorkbookBladeDescription": "This Microsoft Sentinel Integration installs workbooks to help visualize Salem alert analysis",
+ "Analytic Rules": [],
+ "Playbooks": ["Solutions/SalemCyber/Playbooks/SendAlertToSalem/azuredeploy.json"],
+
+ "PlaybooksBladeDescription": "This Microsoft Sentinel Integration installs a playbook that allows Microsoft Sentinel alerts to be sent to Salem for investigation",
+ "Parsers": [],
+ "SavedSearches": [],
+ "Hunting Queries": [],
+ "HuntingQueryBladeDescription": "",
+ "Data Connectors": [],
+ "Watchlists": [],
+ "WatchlistDescription": [],
+ "BasePath": "C:\\Users\\jonwb\\github\\Azure-Sentinel",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false
+}
\ No newline at end of file
diff --git a/Solutions/SalemCyber/Package/3.0.0.zip b/Solutions/SalemCyber/Package/3.0.0.zip
new file mode 100644
index 00000000000..2847a89b48a
Binary files /dev/null and b/Solutions/SalemCyber/Package/3.0.0.zip differ
diff --git a/Solutions/SalemCyber/Package/createUiDefinition.json b/Solutions/SalemCyber/Package/createUiDefinition.json
new file mode 100644
index 00000000000..1c79d9fdee8
--- /dev/null
+++ b/Solutions/SalemCyber/Package/createUiDefinition.json
@@ -0,0 +1,131 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SalemCyber/ReleaseNotes.md)\r \n _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nSalem, [AI Cyber analyst](https://salemcyber.com), **automatically investigates** Microsoft Sentinel alerts and escalates validated threats that require your attention. \n\nThis Microsoft Sentinel integration allows you to send new Microsoft Sentinel alerts to Salem for analysis and reporting.\n\n**Why Salem?** \n\nMost alerts are false positives. Salem automatically triages noisy cyber alerts to find a small number of threats that require your attention. \n\nSalem scales the impact of your cyber team by helping you respond well 24/7 to a wide range of security threats. \n\nSalem's AI learns from your team and customizes its analysis to your cyber relevant business context. \n\n**Get Started with Salem** \n\nYou can find and install Salem, AI cyber analyst in the [Azure Marketplace](https%3A%2F%2Fazuremarketplace.microsoft.com%2Fen-us%2Fmarketplace%2Fapps%2Fsaleminc1627928803559.salemcyber%3Ftab%3DOverview)\n\n**Workbooks:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "workbooks",
+ "label": "Workbooks",
+ "subLabel": {
+ "preValidation": "Configure the workbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Workbooks",
+ "elements": [
+ {
+ "name": "workbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Microsoft Sentinel Integration installs workbooks to help visualize Salem alert analysis"
+ }
+ },
+ {
+ "name": "workbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+ }
+ }
+ },
+ {
+ "name": "workbook1",
+ "type": "Microsoft.Common.Section",
+ "label": "Salem Alerts Workbook",
+ "elements": [
+ {
+ "name": "workbook1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Monitor Salem Performance"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "playbooks",
+ "label": "Playbooks",
+ "subLabel": {
+ "preValidation": "Configure the playbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Playbooks",
+ "elements": [
+ {
+ "name": "playbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Microsoft Sentinel Integration installs a playbook that allows Microsoft Sentinel alerts to be sent to Salem for investigation"
+ }
+ },
+ {
+ "name": "playbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/SalemCyber/Package/mainTemplate.json b/Solutions/SalemCyber/Package/mainTemplate.json
new file mode 100644
index 00000000000..6ac84d9dbfc
--- /dev/null
+++ b/Solutions/SalemCyber/Package/mainTemplate.json
@@ -0,0 +1,499 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Salem Cyber - support@salemcyber.com",
+ "comments": "Solution template for SalemCyber"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "Salem Alerts Workbook",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+ },
+ "variables": {
+ "email": "support@salemcyber.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "SalemCyber",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "saleminc1627928803559.salem-cyber-ai-analyst",
+ "_solutionId": "[variables('solutionId')]",
+ "workbookVersion1": "1.0.0",
+ "workbookContentId1": "SalemDashboard",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "SendAlertToSalem": "SendAlertToSalem",
+ "_SendAlertToSalem": "[variables('SendAlertToSalem')]",
+ "playbookVersion1": "1.0",
+ "playbookContentId1": "SendAlertToSalem",
+ "_playbookContentId1": "[variables('playbookContentId1')]",
+ "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
+ "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
+ "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "SalemDashboardWorkbook Workbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('workbookVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
+ "location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "Monitor Salem Performance"
+ },
+ "properties": {
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\",\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ea0c0933-39f4-4220-9afc-d2aca2b7afc7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range_picker\",\"label\":\"Time Range Picker\",\"type\":4,\"isGlobal\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"78694e68-cdb6-4156-9847-b19b75c2b04f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"row_count\",\"label\":\"Row Count\",\"type\":2,\"description\":\"Number of rows to display\",\"isGlobal\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\n 1, 5, 25\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"5\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top Row\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SalemAlerts_CL \\n| extend pred = parse_json(prediction_s)[-1]\\n| extend investigation_status = case(incident_s == \\\"1\\\", \\\"Threat\\\", incident_s == \\\"0\\\", \\\"False Positive\\\", \\\"Not Escalated\\\")\\n| where investigation_status == \\\"Threat\\\"\\n| summarize escalated_threats = count()\\n| project Count = escalated_threats\",\"size\":3,\"title\":\"Escalated Threats\",\"noDataMessageStyle\":4,\"timeContextFromParameter\":\"time_range_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"tileSettings\":{\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SalemAlerts_CL\\n| summarize Count = count()\",\"size\":3,\"title\":\"Alerts Analyzed\",\"timeContextFromParameter\":\"time_range_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"rowLimit\":50},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SalemAlerts_CL \\n| extend pred = parse_json(prediction_s)[-1]\\n| extend investigation_status = case(incident_s == \\\"1\\\", \\\"Threat\\\", incident_s == \\\"0\\\", \\\"False Positive\\\", \\\"Not Escalated\\\")\\n| where investigation_status == \\\"Threat\\\"\\n| summarize cnt = count() by alert_name_s\\n| order by cnt desc\\n| project alert_name = alert_name_s, Count = cnt\\n| take {row_count}\",\"size\":3,\"title\":\"Common Escalated Threats\",\"timeContextFromParameter\":\"time_range_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"alert_name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"alert_name\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SalemAlerts_CL \\n| summarize cnt = count() by alert_name_s\\n| order by cnt desc\\n| project alert_name = alert_name_s, Count = cnt\\n| take {row_count}\",\"size\":3,\"title\":\"Common Alerts\",\"timeContextFromParameter\":\"time_range_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 5\"}]},\"name\":\"Top Row\",\"styleSettings\":{\"margin\":\"5\",\"padding\":\"5\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Most Targeted\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SalemAlerts_CL \\n| extend pred = parse_json(prediction_s)[-1]\\n| extend investigation_status = case(incident_s == \\\"1\\\", \\\"Threat\\\", incident_s == \\\"0\\\", \\\"False Positive\\\", \\\"Not Escalated\\\")\\n| where investigation_status == \\\"Threat\\\"\\n| extend context = parse_json(context_s)\\n| mv-expand context.account\\n| where isnotempty( context_account) \\n| summarize cnt = count() by tostring(context_account)\\n| order by cnt desc \\n| take 5\\n| project Targeted_Accounts = context_account, Count = cnt\",\"size\":3,\"timeContextFromParameter\":\"time_range_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SalemAlerts_CL\\n| where incident_s == \\\"1\\\"\\n| extend context = parse_json(context_s)\\n| extend res_context = case(set_has_element(context.dest, \\\"external_resource\\\"), context.src, context.dest)\\n| mv-expand res_context\\n| where res_context !in (\\\"internal_resource\\\",\\\"isHostName\\\")\\n| where isnotempty(res_context)\\n| summarize Count = count() by tostring(res_context)\\n| order by Count desc\\n| project Targeted_Resources = res_context, Count\\n| take {row_count}\",\"size\":3,\"timeContextFromParameter\":\"time_range_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"}]},\"name\":\"most_targeted\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Alert Trend\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"range days from {time_range_picker:start} to {time_range_picker:end} step 1d\\n| project days, day_only = format_datetime(days, \\\"MM/dd/yyyy\\\")\\n| join kind=leftouter (\\n SalemAlerts_CL\\n | summarize alerts = count() by bin(report_time_t, 1d)\\n | project report_time_t, alerts\\n | join kind=leftouter (\\n SalemAlerts_CL\\n | where incident_s == \\\"1\\\"\\n | summarize threats = count() by bin(report_time_t, 1d)\\n | project report_time_t, threats\\n ) on report_time_t\\n | project day_only = format_datetime(report_time_t1, \\\"MM/dd/yyyy\\\"), alerts, threats\\n) on day_only\\n| project days, alerts = case(isempty(alerts), 0, alerts) , threats = case(isempty(threats), 0, threats)\\n| order by days asc \\n| render timechart\",\"size\":0,\"timeContextFromParameter\":\"time_range_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"}]},\"name\":\"Alert Trend\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Alerts in Table\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SalemAlerts_CL\\n| extend pred = parse_json(prediction_s)[-1]\\n| extend treat_level = case(pred > 0.7, \\\"High\\\", pred < 0.35, \\\"Low\\\", \\\"Medium\\\")\\n| extend investigation_status = case(incident_s == \\\"1\\\", \\\"Threat\\\", incident_s == \\\"0\\\", \\\"False Positive\\\", \\\"Not Escalated\\\")\\n| project report_time_t, id_s, alert_name_s, treat_level, investigation_status\",\"size\":3,\"timeContextFromParameter\":\"time_range_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"report_time_t\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"report_time_t\",\"sortOrder\":2}]},\"name\":\"query - 2\"}]},\"name\":\"group - 5\",\"styleSettings\":{\"showBorder\":true}}]}\r\n",
+ "version": "1.0",
+ "sourceId": "[variables('workspaceResourceId')]",
+ "category": "sentinel"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "properties": {
+ "description": "@{workbookKey=SalemDashboard; logoFileName=salem_logo.svg; description=Monitor Salem Performance; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Salem Alerts Workbook; templateRelativePath=SalemDashboard.json; subtitle=; provider=SalemCyber}.description",
+ "parentId": "[variables('workbookId1')]",
+ "contentId": "[variables('_workbookContentId1')]",
+ "kind": "Workbook",
+ "version": "[variables('workbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "SalemCyber",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Salem Cyber",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Salem Cyber",
+ "email": "support@salemcyber.com",
+ "tier": "Partner",
+ "link": "https://www.salemcyber.com/contact"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "SalemAlerts_CL",
+ "kind": "DataType"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "SendAlertToSalem Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion1')]",
+ "parameters": {
+ "PlaybookName": {
+ "type": "string",
+ "metadata": {
+ "description": "A Globally unique name for the integration logic app"
+ }
+ },
+ "SalemEventHubConnectionString": {
+ "type": "securestring",
+ "metadata": {
+ "description": "The Connection String from the Salem 'alerts' Event Hub"
+ }
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "Location for all resources. Leave blank to use location of resource group"
+ }
+ }
+ },
+ "variables": {
+ "SalemEventHubConnectionName": "Salem-EventHub",
+ "SentinelConnectionName": "Salem-MicrosoftSentinel",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/eventhubs')]",
+ "_connection-2": "[[variables('connection-2')]",
+ "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azuresentinel')]",
+ "_connection-3": "[[variables('connection-3')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2019-05-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[parameters('location')]",
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "Microsoft_Sentinel_alert": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/subscribe"
+ }
+ }
+ },
+ "actions": {
+ "Alert_-_Get_incident": {
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
+ }
+ },
+ "Initialize_variable_alert_body": {
+ "runAfter": {
+ "Alert_-_Get_incident": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "alert_body",
+ "type": "object",
+ "value": {
+ "custom_details": "@json(coalesce(triggerBody()?['ExtendedProperties']?['Custom Details'],'{}'))",
+ "earliest": "@triggerBody()['ExtendedProperties']['Query Start Time UTC']",
+ "entities": "@triggerBody()?['Entities']",
+ "incident_id": "@body('Alert_-_Get_incident')?['properties']?['incidentNumber']",
+ "latest": "@triggerBody()['ExtendedProperties']['Query End Time UTC']"
+ }
+ }
+ ]
+ }
+ },
+ "Initialize_variable_alert": {
+ "runAfter": {
+ "Initialize_variable_alert_body": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "alert_formatted",
+ "type": "object",
+ "value": {
+ "alert": "@variables('alert_body')",
+ "alert_name": "@triggerBody()?['AlertDisplayName']",
+ "id": "@triggerBody()?['SystemAlertId']",
+ "source": "sentinel"
+ }
+ }
+ ]
+ }
+ },
+ "Send_event": {
+ "runAfter": {
+ "Initialize_variable_alert": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "ContentData": "@{base64(variables('alert_formatted'))}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['eventhubs']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/@{encodeURIComponent('alerts')}/events"
+ }
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('SentinelConnectionName'))]",
+ "connectionName": "[[variables('SentinelConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azuresentinel')]"
+ },
+ "eventhubs": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('SalemEventHubConnectionname'))]",
+ "connectionName": "[[variables('SalemEventHubConnectionname')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/eventhubs')]"
+ }
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('SentinelConnectionName'))]",
+ "[[resourceId('Microsoft.Web/connections', variables('SalemEventHubConnectionname'))]"
+ ],
+ "tags": {
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('SalemEventHubConnectionname')]",
+ "location": "[[parameters('location')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "Salem Event Hubs",
+ "api": {
+ "name": "[[variables('SalemEventHubConnectionname')]",
+ "displayName": "Salem Event Hubs",
+ "description": "Connect to The Salem Event Hub to send alerts.",
+ "id": "[[variables('_connection-2')]",
+ "type": "Microsoft.Web/locations/managedApis"
+ },
+ "parameterValues": {
+ "connectionString": "[[parameters('SalemEventHubConnectionString')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('SentinelConnectionName')]",
+ "location": "[[parameters('location')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "Microsoft Sentinel",
+ "api": {
+ "name": "[[variables('SentinelConnectionName')]",
+ "displayName": "Microsoft Sentinel",
+ "description": "Cloud-native SIEM with a built-in AI so you can focus on what matters most",
+ "id": "[[variables('_connection-3')]",
+ "type": "Microsoft.Web/locations/managedApis"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId1')]",
+ "contentId": "[variables('_playbookContentId1')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "SalemCyber",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Salem Cyber",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Salem Cyber",
+ "email": "support@salemcyber.com",
+ "tier": "Partner",
+ "link": "https://www.salemcyber.com/contact"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "title": "Send-Sentinel-Alerts-to-Salem",
+ "description": "Use this playbook to send Microsoft Sentinel alerts to Salem Virtual Cyber Analyst",
+ "prerequisites": [
+ "Install Salem from the Azure Marketplace",
+ "Obtain the send key from the Alerts Eventhub in the Salem resource group"
+ ],
+ "postDeployment": [
+ "**Authorize Connection**",
+ "Once the Playbook is deployed, you must authorize the API connection to Microsoft Sentinel",
+ "1. Find the newly deployed logic app resource",
+ "2. Select 'API Connections' from the left side menu",
+ "3. Select the 'Salem-MicrosoftSentinel' API connection",
+ "4. Select 'Edit API Connection' from the left side menu",
+ "5. Select 'Authorize'",
+ "6. Once Authorized, save the api connection"
+ ],
+ "lastUpdateTime": "2023-08-23T00:00:00Z",
+ "releaseNotes": [
+ {
+ "version": "1.0.0",
+ "title": "Send-Sentinel-Alerts-to-Salem",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ ]
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId1')]",
+ "contentKind": "Playbook",
+ "displayName": "SendAlertToSalem",
+ "contentProductId": "[variables('_playbookcontentProductId1')]",
+ "id": "[variables('_playbookcontentProductId1')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "SalemCyber",
+ "publisherDisplayName": "Microsoft Sentinel, Salem Cyber",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nSalem, AI Cyber analyst, automatically investigates Microsoft Sentinel alerts and escalates validated threats that require your attention.
\nThis Microsoft Sentinel integration allows you to send new Microsoft Sentinel alerts to Salem for analysis and reporting.
\nWhy Salem?
\nMost alerts are false positives. Salem automatically triages noisy cyber alerts to find a small number of threats that require your attention.
\nSalem scales the impact of your cyber team by helping you respond well 24/7 to a wide range of security threats.
\nSalem's AI learns from your team and customizes its analysis to your cyber relevant business context.
\nGet Started with Salem
\nYou can find and install Salem, AI cyber analyst in the Azure Marketplace
\nWorkbooks: 1, Playbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "SalemCyber",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Salem Cyber",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Salem Cyber",
+ "email": "support@salemcyber.com",
+ "tier": "Partner",
+ "link": "https://www.salemcyber.com/contact"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_SendAlertToSalem')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2023-07-21",
+ "lastPublishDate": "2023-07-21",
+ "providers": [
+ "Salem Cyber"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Automation (SOAR)",
+ "Security - Insider Threat"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
\ No newline at end of file
diff --git a/Solutions/SalemCyber/Playbooks/SendAlertToSalem/azuredeploy.json b/Solutions/SalemCyber/Playbooks/SendAlertToSalem/azuredeploy.json
new file mode 100644
index 00000000000..d6b9c58c8e3
--- /dev/null
+++ b/Solutions/SalemCyber/Playbooks/SendAlertToSalem/azuredeploy.json
@@ -0,0 +1,230 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Send-Sentinel-Alerts-to-Salem",
+ "description": "Use this playbook to send Microsoft Sentinel alerts to Salem Virtual Cyber Analyst",
+ "prerequisites": [
+ "Install Salem from the Azure Marketplace",
+ "Obtain the send key from the Alerts Eventhub in the Salem resource group"
+ ],
+ "postDeployment": [
+ "**Authorize Connection**",
+ "Once the Playbook is deployed, you must authorize the API connection to Microsoft Sentinel",
+ "1. Find the newly deployed logic app resource",
+ "2. Select 'API Connections' from the left side menu",
+ "3. Select the 'Salem-MicrosoftSentinel' API connection",
+ "4. Select 'Edit API Connection' from the left side menu",
+ "5. Select 'Authorize'",
+ "6. Once Authorized, save the api connection"
+ ],
+ "lastUpdateTime": "2023-08-23T00:00:00.000Z",
+ "author": {
+ "name": "Salem Cyber"
+ },
+ "releaseNotes": [
+ {
+ "version": "1.0.0",
+ "title": "Send-Sentinel-Alerts-to-Salem",
+ "notes": [ "Initial version" ]
+ }
+ ]
+ },
+ "parameters": {
+ "PlaybookName": {
+ "type": "string",
+ "metadata": {
+ "description": "A Globally unique name for the integration logic app"
+ }
+ },
+ "SalemEventHubConnectionString": {
+ "type": "securestring",
+ "metadata": {
+ "description": "The Connection String from the Salem 'alerts' Event Hub"
+ }
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "Location for all resources. Leave blank to use location of resource group"
+ }
+ }
+ },
+ "variables": {
+ "SalemEventHubConnectionName": "Salem-EventHub",
+ "SentinelConnectionName": "Salem-MicrosoftSentinel"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2019-05-01",
+ "name": "[parameters('PlaybookName')]",
+ "location": "[parameters('location')]",
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "Microsoft_Sentinel_alert": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/subscribe"
+ }
+ }
+ },
+ "actions": {
+ "Alert_-_Get_incident": {
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
+ }
+ },
+ "Initialize_variable_alert_body": {
+ "runAfter": {
+ "Alert_-_Get_incident": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "alert_body",
+ "type": "object",
+ "value": {
+ "custom_details": "@json(coalesce(triggerBody()?['ExtendedProperties']?['Custom Details'],'{}'))",
+ "earliest": "@triggerBody()['ExtendedProperties']['Query Start Time UTC']",
+ "entities": "@triggerBody()?['Entities']",
+ "incident_id": "@body('Alert_-_Get_incident')?['properties']?['incidentNumber']",
+ "latest": "@triggerBody()['ExtendedProperties']['Query End Time UTC']"
+ }
+ }
+ ]
+ }
+ },
+ "Initialize_variable_alert": {
+ "runAfter": {
+ "Initialize_variable_alert_body": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "alert_formatted",
+ "type": "object",
+ "value": {
+ "alert": "@variables('alert_body')",
+ "alert_name": "@triggerBody()?['AlertDisplayName']",
+ "id": "@triggerBody()?['SystemAlertId']",
+ "source": "sentinel"
+ }
+ }
+ ]
+ }
+ },
+ "Send_event": {
+ "runAfter": {
+ "Initialize_variable_alert": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "ContentData": "@{base64(variables('alert_formatted'))}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['eventhubs']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/@{encodeURIComponent('alerts')}/events"
+ }
+ }
+ },
+ "outputs": {}
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('SentinelConnectionName'))]",
+ "connectionName": "[variables('SentinelConnectionName')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azuresentinel')]"
+ },
+ "eventhubs": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('SalemEventHubConnectionname'))]",
+ "connectionName": "[variables('SalemEventHubConnectionname')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/eventhubs')]"
+ }
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/connections', variables('SentinelConnectionName'))]",
+ "[resourceId('Microsoft.Web/connections', variables('SalemEventHubConnectionname'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('SalemEventHubConnectionname')]",
+ "location": "[parameters('location')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "Salem Event Hubs",
+ "api": {
+ "name": "[variables('SalemEventHubConnectionname')]",
+ "displayName": "Salem Event Hubs",
+ "description": "Connect to The Salem Event Hub to send alerts.",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/eventhubs')]",
+ "type": "Microsoft.Web/locations/managedApis"
+ },
+ "parameterValues": {
+ "connectionString": "[parameters('SalemEventHubConnectionString')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('SentinelConnectionName')]",
+ "location": "[parameters('location')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "Microsoft Sentinel",
+ "api": {
+ "name": "[variables('SentinelConnectionName')]",
+ "displayName": "Microsoft Sentinel",
+ "description": "Cloud-native SIEM with a built-in AI so you can focus on what matters most",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azuresentinel')]",
+ "type": "Microsoft.Web/locations/managedApis"
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/SalemCyber/Playbooks/SendAlertToSalem/readme.md b/Solutions/SalemCyber/Playbooks/SendAlertToSalem/readme.md
new file mode 100644
index 00000000000..f77c5c53e08
--- /dev/null
+++ b/Solutions/SalemCyber/Playbooks/SendAlertToSalem/readme.md
@@ -0,0 +1,37 @@
+# Send Alerts to Salem Playbook Guide
+
+## Overview
+
+This playbook is designed to make it simple to send new Microsoft Sentinel alerts to Salem for investigation. This playbook will forward alerts to the EventHub instance in the Salem managed resource group.
+
+## Prerequisites
+
+- Have an active Salem application installed in Azure. The Salem app can be found in the [Azure Marketplace](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/saleminc1627928803559.salemcyber)
+
+## Pre-deployment
+
+### Update Event Hub network settings
+
+Collect the Salem Event Hub send key. This value will be required during playbook deployment and will enable the playbook to forward new Microsoft Sentinel Alerts to Salem.
+
+The key from the 'alerts' EventHub namespace in the Salem EventHub. You can find this key in the Azure portal for the event hub resource in the Salem managed resource group. The key will already exist, however, you can generate a new key if you wish. If you do create a new key, ensure the key has 'send' permissions.
+
+## Post Deployment
+
+### Authorize the API connection
+
+When deploying the playbook, a new API connection resource was created and needs to be authorized.
+
+1. Find the API connections created by deploying the Defender APT integration. The API connections will be called 'Salem-MicrosoftSentinel' and 'Salem-DefenderATP'
+
+## Update Event Hub network settings
+
+The Salem Event Hub has default network rules that may prevent this playbook from connecting. One way to allow network traffic to the Event Hub is to update the Event Hub network settings to allow inbound connections from the IP addresses associated with the region in which you deploy the playbook. You can find the IP ranges based on the region you deployed this playbook, [here](https://learn.microsoft.com/en-us/connectors/common/outbound-ip-addresses#azure-logic-apps)
+
+The Event Hub used by Salem is located in the Salem managed resource group. You can find this resource group in the overview page of the Salem application.
+
+It is also possible to use vNet integration or private endpoints to communicate between the playbook and the Salem Event Hub
+
+## Get Help
+
+For support, contact [support@salemcyber.com](mailto:support@salemcyber.com)
diff --git a/Solutions/SalemCyber/Playbooks/images/Playbook Logic App Designer View.png b/Solutions/SalemCyber/Playbooks/images/Playbook Logic App Designer View.png
new file mode 100644
index 00000000000..b11f579ba5b
Binary files /dev/null and b/Solutions/SalemCyber/Playbooks/images/Playbook Logic App Designer View.png differ
diff --git a/Solutions/SalemCyber/ReleaseNotes.md b/Solutions/SalemCyber/ReleaseNotes.md
new file mode 100644
index 00000000000..bf76b9043ea
--- /dev/null
+++ b/Solutions/SalemCyber/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|---------------------------------------------|
+| 3.0.0 | 14-07-2023 | Initial Version Release |
\ No newline at end of file
diff --git a/Solutions/SalemCyber/SolutionMetadata.json b/Solutions/SalemCyber/SolutionMetadata.json
new file mode 100644
index 00000000000..fa8b02b252f
--- /dev/null
+++ b/Solutions/SalemCyber/SolutionMetadata.json
@@ -0,0 +1,17 @@
+{
+ "publisherId": "saleminc1627928803559",
+ "offerId": "salem-cyber-ai-analyst",
+ "firstPublishDate": "2023-07-21",
+ "lastPublishDate": "2023-07-21",
+ "providers": ["Salem Cyber"],
+ "categories": {
+ "domains" : ["Security - Automation (SOAR)", "Security - Insider Threat"],
+ "verticals": []
+ },
+ "support": {
+ "name": "Salem Cyber",
+ "email": "support@salemcyber.com",
+ "tier": "Partner",
+ "link": "https://www.salemcyber.com/contact"
+ }
+}
\ No newline at end of file
diff --git a/Solutions/SalemCyber/Workbooks/SalemDashboard.json b/Solutions/SalemCyber/Workbooks/SalemDashboard.json
new file mode 100644
index 00000000000..fa9639edb3f
--- /dev/null
+++ b/Solutions/SalemCyber/Workbooks/SalemDashboard.json
@@ -0,0 +1,326 @@
+{
+ "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json",
+ "version": "Notebook/1.0",
+ "items": [
+ {
+ "type": 9,
+ "content": {
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "id": "ea0c0933-39f4-4220-9afc-d2aca2b7afc7",
+ "version": "KqlParameterItem/1.0",
+ "name": "time_range_picker",
+ "label": "Time Range Picker",
+ "type": 4,
+ "isGlobal": true,
+ "typeSettings": {
+ "selectableValues": [
+ {
+ "durationMs": 300000
+ },
+ {
+ "durationMs": 1800000
+ },
+ {
+ "durationMs": 3600000
+ },
+ {
+ "durationMs": 43200000
+ },
+ {
+ "durationMs": 86400000
+ },
+ {
+ "durationMs": 172800000
+ },
+ {
+ "durationMs": 604800000
+ },
+ {
+ "durationMs": 2592000000
+ },
+ {
+ "durationMs": 7776000000
+ }
+ ],
+ "allowCustom": true
+ },
+ "timeContext": {
+ "durationMs": 86400000
+ },
+ "value": {
+ "durationMs": 86400000
+ }
+ },
+ {
+ "id": "78694e68-cdb6-4156-9847-b19b75c2b04f",
+ "version": "KqlParameterItem/1.0",
+ "name": "row_count",
+ "label": "Row Count",
+ "type": 2,
+ "description": "Number of rows to display",
+ "isGlobal": true,
+ "typeSettings": {
+ "showDefault": false
+ },
+ "jsonData": "[\n 1, 5, 25\n]",
+ "timeContext": {
+ "durationMs": 86400000
+ },
+ "value": "5"
+ }
+ ],
+ "style": "pills",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "name": "parameters - 3"
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "title": "Top Row",
+ "items": [
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SalemAlerts_CL \n| extend pred = parse_json(prediction_s)[-1]\n| extend investigation_status = case(incident_s == \"1\", \"Threat\", incident_s == \"0\", \"False Positive\", \"Not Escalated\")\n| where investigation_status == \"Threat\"\n| summarize escalated_threats = count()\n| project Count = escalated_threats",
+ "size": 3,
+ "title": "Escalated Threats",
+ "noDataMessageStyle": 4,
+ "timeContextFromParameter": "time_range_picker",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "card",
+ "tileSettings": {
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "LatLong",
+ "sizeSettings": "Count",
+ "sizeAggregation": "Sum",
+ "legendMetric": "Count",
+ "legendAggregation": "Sum",
+ "itemColorSettings": {
+ "type": "heatmap",
+ "colorAggregation": "Sum",
+ "nodeColorField": "Count",
+ "heatmapPalette": "greenRed"
+ }
+ },
+ "textSettings": {
+ "style": "bignumber"
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 3"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SalemAlerts_CL\n| summarize Count = count()",
+ "size": 3,
+ "title": "Alerts Analyzed",
+ "timeContextFromParameter": "time_range_picker",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "card",
+ "gridSettings": {
+ "rowLimit": 50
+ },
+ "textSettings": {
+ "style": "bignumber"
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 2"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SalemAlerts_CL \n| extend pred = parse_json(prediction_s)[-1]\n| extend investigation_status = case(incident_s == \"1\", \"Threat\", incident_s == \"0\", \"False Positive\", \"Not Escalated\")\n| where investigation_status == \"Threat\"\n| summarize cnt = count() by alert_name_s\n| order by cnt desc\n| project alert_name = alert_name_s, Count = cnt\n| take {row_count}",
+ "size": 3,
+ "title": "Common Escalated Threats",
+ "timeContextFromParameter": "time_range_picker",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "tileSettings": {
+ "showBorder": false,
+ "titleContent": {
+ "columnMatch": "alert_name",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ },
+ "graphSettings": {
+ "type": 0,
+ "topContent": {
+ "columnMatch": "alert_name",
+ "formatter": 1
+ },
+ "centerContent": {
+ "columnMatch": "Count",
+ "formatter": 1,
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 3"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SalemAlerts_CL \n| summarize cnt = count() by alert_name_s\n| order by cnt desc\n| project alert_name = alert_name_s, Count = cnt\n| take {row_count}",
+ "size": 3,
+ "title": "Common Alerts",
+ "timeContextFromParameter": "time_range_picker",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "customWidth": "50",
+ "name": "query - 5"
+ }
+ ]
+ },
+ "name": "Top Row",
+ "styleSettings": {
+ "margin": "5",
+ "padding": "5",
+ "showBorder": true
+ }
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "title": "Most Targeted",
+ "items": [
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SalemAlerts_CL \n| extend pred = parse_json(prediction_s)[-1]\n| extend investigation_status = case(incident_s == \"1\", \"Threat\", incident_s == \"0\", \"False Positive\", \"Not Escalated\")\n| where investigation_status == \"Threat\"\n| extend context = parse_json(context_s)\n| mv-expand context.account\n| where isnotempty( context_account) \n| summarize cnt = count() by tostring(context_account)\n| order by cnt desc \n| take 5\n| project Targeted_Accounts = context_account, Count = cnt",
+ "size": 3,
+ "timeContextFromParameter": "time_range_picker",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "customWidth": "50",
+ "name": "query - 4"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SalemAlerts_CL\n| where incident_s == \"1\"\n| extend context = parse_json(context_s)\n| extend res_context = case(set_has_element(context.dest, \"external_resource\"), context.src, context.dest)\n| mv-expand res_context\n| where res_context !in (\"internal_resource\",\"isHostName\")\n| where isnotempty(res_context)\n| summarize Count = count() by tostring(res_context)\n| order by Count desc\n| project Targeted_Resources = res_context, Count\n| take {row_count}",
+ "size": 3,
+ "timeContextFromParameter": "time_range_picker",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "customWidth": "50",
+ "name": "query - 4 - Copy"
+ }
+ ]
+ },
+ "name": "most_targeted",
+ "styleSettings": {
+ "showBorder": true
+ }
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "title": "Alert Trend",
+ "items": [
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "range days from {time_range_picker:start} to {time_range_picker:end} step 1d\n| project days, day_only = format_datetime(days, \"MM/dd/yyyy\")\n| join kind=leftouter (\n SalemAlerts_CL\n | summarize alerts = count() by bin(report_time_t, 1d)\n | project report_time_t, alerts\n | join kind=leftouter (\n SalemAlerts_CL\n | where incident_s == \"1\"\n | summarize threats = count() by bin(report_time_t, 1d)\n | project report_time_t, threats\n ) on report_time_t\n | project day_only = format_datetime(report_time_t1, \"MM/dd/yyyy\"), alerts, threats\n) on day_only\n| project days, alerts = case(isempty(alerts), 0, alerts) , threats = case(isempty(threats), 0, threats)\n| order by days asc \n| render timechart",
+ "size": 0,
+ "timeContextFromParameter": "time_range_picker",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "name": "query - 2"
+ }
+ ]
+ },
+ "name": "Alert Trend",
+ "styleSettings": {
+ "showBorder": true
+ }
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "title": "Alerts in Table",
+ "items": [
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "SalemAlerts_CL\n| extend pred = parse_json(prediction_s)[-1]\n| extend treat_level = case(pred > 0.7, \"High\", pred < 0.35, \"Low\", \"Medium\")\n| extend investigation_status = case(incident_s == \"1\", \"Threat\", incident_s == \"0\", \"False Positive\", \"Not Escalated\")\n| project report_time_t, id_s, alert_name_s, treat_level, investigation_status",
+ "size": 3,
+ "timeContextFromParameter": "time_range_picker",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "sortBy": [
+ {
+ "itemKey": "report_time_t",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "report_time_t",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "name": "query - 2"
+ }
+ ]
+ },
+ "name": "group - 5",
+ "styleSettings": {
+ "showBorder": true
+ }
+ }
+ ]
+ }
\ No newline at end of file
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index 787b3725049..918354e9fc3 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -1,5478 +1,5491 @@
[
- {
- "workbookKey": "42CrunchAPIProtectionWorkbook",
- "logoFileName": "42CrunchLogo.svg",
- "description": "Monitor and protect APIs using the 42Crunch API microfirewall",
- "dataTypesDependencies": [
- "apifirewall_log_1_CL"
- ],
- "dataConnectorsDependencies": [
- "42CrunchAPIProtection"
- ],
- "previewImagesFileNames": [
- "42CrunchInstancesBlack.png",
- "42CrunchInstancesWhite.png",
- "42CrunchRequestsBlack.png",
- "42CrunchRequestsWhite.png",
- "42CrunchStatusBlack.png",
- "42CrunchStatusWhite.png"
- ],
- "version": "1.0.0",
- "title": "42Crunch API Protection Workbook",
- "templateRelativePath": "42CrunchAPIProtectionWorkbook.json",
- "subtitle": "",
- "provider": "42Crunch"
- },
- {
- "workbookKey": "ForcepointNGFWAdvanced",
- "logoFileName": "FPAdvLogo.svg",
- "description": "Gain threat intelligence correlated security and application insights on Forcepoint NGFW (Next Generation Firewall). Monitor Forcepoint logging servers health.",
- "dataTypesDependencies": [
- "CommonSecurityLog",
- "ThreatIntelligenceIndicator"
- ],
- "dataConnectorsDependencies": [
- "ForcepointNgfw",
- "ThreatIntelligence"
- ],
- "previewImagesFileNames": [
- "ForcepointNGFWAdvancedWhite.png",
- "ForcepointNGFWAdvancedBlack.png"
- ],
- "version": "1.0.0",
- "title": "Forcepoint Next Generation Firewall (NGFW) Advanced Workbook",
- "templateRelativePath": "ForcepointNGFWAdvanced.json",
- "subtitle": "",
- "provider": "Forcepoint"
- },
- {
- "workbookKey": "AzureActivityWorkbook",
- "logoFileName": "azureactivity_logo.svg",
- "description": "Gain extensive insight into your organization's Azure Activity by analyzing, and correlating all user operations and events.\nYou can learn about all user operations, trends, and anomalous changes over time.\nThis workbook gives you the ability to drill down into caller activities and summarize detected failure and warning events.",
- "dataTypesDependencies": [
- "AzureActivity"
- ],
- "dataConnectorsDependencies": [
- "AzureActivity"
- ],
- "previewImagesFileNames": [
- "AzureActivityWhite1.png",
- "AzureActivityBlack1.png"
- ],
- "version": "2.0.0",
- "title": "Azure Activity",
- "templateRelativePath": "AzureActivity.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "IdentityAndAccessWorkbook",
- "logoFileName": "Microsoft_logo.svg",
- "description": "Gain insights into Identity and access operations by collecting and analyzing security logs, using the audit and sign-in logs to gather insights into use of Microsoft products.\nYou can view anomalies and trends across login events from all users and machines. This workbook also identifies suspicious entities from login and access events.",
- "dataTypesDependencies": [
- "SecurityEvent"
- ],
- "dataConnectorsDependencies": [
- "SecurityEvents",
- "WindowsSecurityEvents"
- ],
- "previewImagesFileNames": [
- "IdentityAndAccessWhite.png",
- "IdentityAndAccessBlack.png"
- ],
- "version": "1.1.0",
- "title": "Identity & Access",
- "templateRelativePath": "IdentityAndAccess.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "CheckPointWorkbook",
- "logoFileName": "checkpoint_logo.svg",
- "description": "Gain insights into Check Point network activities, including number of gateways and servers, security incidents, and identify infected hosts.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "CheckPoint"
- ],
- "previewImagesFileNames": [
- "CheckPointWhite.png",
- "CheckPointBlack.png"
- ],
- "version": "1.0.0",
- "title": "Check Point Software Technologies",
- "templateRelativePath": "CheckPoint.json",
- "subtitle": "",
- "provider": "Check Point"
- },
- {
- "workbookKey": "CiscoWorkbook",
- "logoFileName": "cisco_logo.svg",
- "description": "Gain insights into your Cisco ASA firewalls by analyzing traffic, events, and firewall operations.\nThis workbook analyzes Cisco ASA threat events and identifies suspicious ports, users, protocols and IP addresses.\nYou can learn about trends across user and data traffic directions, and drill down into the Cisco filter results.\nEasily detect attacks on your organization by monitoring management operations, such as configuration and logins.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "CiscoASA"
- ],
- "previewImagesFileNames": [
- "CiscoWhite.png",
- "CiscoBlack.png"
- ],
- "version": "1.1.0",
- "title": "Cisco - ASA",
- "templateRelativePath": "Cisco.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "PaloAltoOverviewWorkbook",
- "logoFileName": "paloalto_logo.svg",
- "description": "Gain insights and comprehensive monitoring into Palo Alto firewalls by analyzing traffic and activities.\nThis workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships.\nYou can learn about trends across user and data traffic, and drill down into Palo Alto Wildfire and filter results.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "PaloAltoNetworks"
- ],
- "previewImagesFileNames": [
- "PaloAltoOverviewWhite1.png",
- "PaloAltoOverviewBlack1.png",
- "PaloAltoOverviewWhite2.png",
- "PaloAltoOverviewBlack2.png",
- "PaloAltoOverviewWhite3.png",
- "PaloAltoOverviewBlack3.png"
- ],
- "version": "1.2.0",
- "title": "Palo Alto overview",
- "templateRelativePath": "PaloAltoOverview.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "PaloAltoNetworkThreatWorkbook",
- "logoFileName": "paloalto_logo.svg",
- "description": "Gain insights into Palo Alto network activities by analyzing threat events.\nYou can extract meaningful security information by correlating data between threats, applications, and time.\nThis workbook makes it easy to track malware, vulnerability, and virus log events.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "PaloAltoNetworks"
- ],
- "previewImagesFileNames": [
- "PaloAltoNetworkThreatWhite1.png",
- "PaloAltoNetworkThreatBlack1.png",
- "PaloAltoNetworkThreatWhite2.png",
- "PaloAltoNetworkThreatBlack2.png"
- ],
- "version": "1.1.0",
- "title": "Palo Alto Network Threat",
- "templateRelativePath": "PaloAltoNetworkThreat.json",
- "subtitle": "",
- "provider": "Palo Alto Networks"
- },
- {
- "workbookKey": "EsetSMCWorkbook",
- "logoFileName": "eset-logo.svg",
- "description": "Visualize events and threats from Eset Security Management Center.",
- "dataTypesDependencies": [
- "eset_CL"
- ],
- "dataConnectorsDependencies": [
- "EsetSMC"
- ],
- "previewImagesFileNames": [
- "esetSMCWorkbook-black.png",
- "esetSMCWorkbook-white.png"
- ],
- "version": "1.0.0",
- "title": "Eset Security Management Center Overview",
- "templateRelativePath": "esetSMCWorkbook.json",
- "subtitle": "",
- "provider": "Community"
- },
- {
- "workbookKey": "FortigateWorkbook",
- "logoFileName": "fortinet_logo.svg",
- "description": "Gain insights into Fortigate firewalls by analyzing traffic and activities.\nThis workbook finds correlations in Fortigate threat events and identifies suspicious ports, users, protocols and IP addresses.\nYou can learn about trends across user and data traffic, and drill down into the Fortigate filter results.\nEasily detect attacks on your organization by monitoring management operations such as configuration and logins.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "Fortinet"
- ],
- "previewImagesFileNames": [
- "FortigateWhite.png",
- "FortigateBlack.png"
- ],
- "version": "1.1.0",
- "title": "FortiGate",
- "templateRelativePath": "Fortigate.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "DnsWorkbook",
- "logoFileName": "dns_logo.svg",
- "description": "Gain extensive insight into your organization's DNS by analyzing, collecting and correlating all DNS events.\nThis workbook exposes a variety of information about suspicious queries, malicious IP addresses and domain operations.",
- "dataTypesDependencies": [
- "DnsInventory",
- "DnsEvents"
- ],
- "dataConnectorsDependencies": [
- "DNS"
- ],
- "previewImagesFileNames": [
- "DnsWhite.png",
- "DnsBlack.png"
- ],
- "version": "1.3.0",
- "title": "DNS",
- "templateRelativePath": "Dns.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureActiveDirectorySigninLogsWorkbook",
- "logoFileName": "azureactivedirectory_logo.svg",
- "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.",
- "dataTypesDependencies": [
- "SigninLogs"
- ],
- "dataConnectorsDependencies": [
- "AzureActiveDirectory"
- ],
- "previewImagesFileNames": [
- "AADsigninBlack1.png",
- "AADsigninBlack2.png",
- "AADsigninWhite1.png",
- "AADsigninWhite2.png"
- ],
- "version": "2.4.0",
- "title": "Azure AD Sign-in logs",
- "templateRelativePath": "AzureActiveDirectorySignins.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "VirtualMachinesInsightsWorkbook",
- "logoFileName": "azurevirtualmachine_logo.svg",
- "description": "Gain rich insight into your organization's virtual machines from Azure Monitor, which analyzes and correlates data in your VM network. \nYou will get visibility on your VM parameters and behavior, and will be able to trace sent and received data. \nIdentify malicious attackers and their targets, and drill down into the protocols, source and destination IP addresses, countries, and ports the attacks occur across.",
- "dataTypesDependencies": [
- "VMConnection",
- "ServiceMapComputer_CL",
- "ServiceMapProcess_CL"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "VMInsightBlack1.png",
- "VMInsightWhite1.png"
- ],
- "version": "1.3.0",
- "title": "VM insights",
- "templateRelativePath": "VirtualMachinesInsights.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureActiveDirectoryAuditLogsWorkbook",
- "logoFileName": "azureactivedirectory_logo.svg",
- "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.",
- "dataTypesDependencies": [
- "AuditLogs"
- ],
- "dataConnectorsDependencies": [
- "AzureActiveDirectory"
- ],
- "previewImagesFileNames": [
- "AzureADAuditLogsBlack1.png",
- "AzureADAuditLogsWhite1.png"
- ],
- "version": "1.2.0",
- "title": "Azure AD Audit logs",
- "templateRelativePath": "AzureActiveDirectoryAuditLogs.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ThreatIntelligenceWorkbook",
- "logoFileName": "",
- "description": "Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable.",
- "dataTypesDependencies": [
- "ThreatIntelligenceIndicator",
- "SecurityIncident"
- ],
- "dataConnectorsDependencies": [
- "ThreatIntelligence",
- "ThreatIntelligenceTaxii"
- ],
- "previewImagesFileNames": [
- "ThreatIntelligenceWhite.png",
- "ThreatIntelligenceBlack.png"
- ],
- "version": "5.0.0",
- "title": "Threat Intelligence",
- "templateRelativePath": "ThreatIntelligence.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "WebApplicationFirewallOverviewWorkbook",
- "logoFileName": "waf_logo.svg",
- "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get a general overview of your application gateway firewall and application gateway access events.",
- "dataTypesDependencies": [
- "AzureDiagnostics"
- ],
- "dataConnectorsDependencies": [
- "WAF"
- ],
- "previewImagesFileNames": [
- "WAFOverviewBlack.png",
- "WAFOverviewWhite.png"
- ],
- "version": "1.1.0",
- "title": "Microsoft Web Application Firewall (WAF) - overview",
- "templateRelativePath": "WebApplicationFirewallOverview.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "WebApplicationFirewallFirewallEventsWorkbook",
- "logoFileName": "waf_logo.svg",
- "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get visibility in to your application gateway firewall. You can view anomalies and trends across all firewall event triggers, attack events, blocked URL addresses and more.",
- "dataTypesDependencies": [
- "AzureDiagnostics"
- ],
- "dataConnectorsDependencies": [
- "WAF"
- ],
- "previewImagesFileNames": [
- "WAFFirewallEventsBlack1.png",
- "WAFFirewallEventsBlack2.png",
- "WAFFirewallEventsWhite1.png",
- "WAFFirewallEventsWhite2.png"
- ],
- "version": "1.1.0",
- "title": "Microsoft Web Application Firewall (WAF) - firewall events",
- "templateRelativePath": "WebApplicationFirewallFirewallEvents.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "WebApplicationFirewallGatewayAccessEventsWorkbook",
- "logoFileName": "waf_logo.svg",
- "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get visibility in to your application gateway access events. You can view anomalies and trends across received and sent data, client IP addresses, URL addresses and more, and drill down into details.",
- "dataTypesDependencies": [
- "AzureDiagnostics"
- ],
- "dataConnectorsDependencies": [
- "WAF"
- ],
- "previewImagesFileNames": [
- "WAFGatewayAccessEventsBlack1.png",
- "WAFGatewayAccessEventsBlack2.png",
- "WAFGatewayAccessEventsWhite1.png",
- "WAFGatewayAccessEventsWhite2.png"
- ],
- "version": "1.2.0",
- "title": "Microsoft Web Application Firewall (WAF) - gateway access events",
- "templateRelativePath": "WebApplicationFirewallGatewayAccessEvents.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "LinuxMachinesWorkbook",
- "logoFileName": "azurevirtualmachine_logo.svg",
- "description": "Gain insights into your workspaces' Linux machines by connecting Microsoft Sentinel and using the logs to gather insights around Linux events and errors.",
- "dataTypesDependencies": [
- "Syslog"
- ],
- "dataConnectorsDependencies": [
- "Syslog"
- ],
- "previewImagesFileNames": [
- "LinuxMachinesWhite.png",
- "LinuxMachinesBlack.png"
- ],
- "version": "1.1.0",
- "title": "Linux machines",
- "templateRelativePath": "LinuxMachines.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureFirewallWorkbook",
- "logoFileName": "AzFirewalls.svg",
- "description": "Gain insights into Azure Firewall events. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces.",
- "dataTypesDependencies": [
- "AzureDiagnostics"
- ],
- "dataConnectorsDependencies": [
- "AzureFirewall"
- ],
- "previewImagesFileNames": [
- "AzureFirewallWorkbookWhite1.PNG",
- "AzureFirewallWorkbookBlack1.PNG",
- "AzureFirewallWorkbookWhite2.PNG",
- "AzureFirewallWorkbookBlack2.PNG",
- "AzureFirewallWorkbookWhite3.PNG",
- "AzureFirewallWorkbookBlack3.PNG",
- "AzureFirewallWorkbookWhite4.PNG",
- "AzureFirewallWorkbookBlack4.PNG",
- "AzureFirewallWorkbookWhite5.PNG",
- "AzureFirewallWorkbookBlack5.PNG"
- ],
- "version": "1.3.0",
- "title": "Azure Firewall",
- "templateRelativePath": "AzureFirewallWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureFirewallWorkbook-StructuredLogs",
- "logoFileName": "AzFirewalls.svg",
- "description": "Gain insights into Azure Firewall events using the new Structured Logs for Azure Firewall. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces.",
- "dataTypesDependencies": [
- "AZFWNetworkRule",
- "AZFWApplicationRule",
- "AZFWDnsQuery",
- "AZFWThreatIntel"
- ],
- "dataConnectorsDependencies": [
- "AzureFirewall"
- ],
- "previewImagesFileNames": [
- "AzureFirewallWorkbookWhite1.PNG",
- "AzureFirewallWorkbookBlack1.PNG",
- "AzureFirewallWorkbookWhite2.PNG",
- "AzureFirewallWorkbookBlack2.PNG",
- "AzureFirewallWorkbookWhite3.PNG",
- "AzureFirewallWorkbookBlack3.PNG",
- "AzureFirewallWorkbookWhite4.PNG",
- "AzureFirewallWorkbookBlack4.PNG",
- "AzureFirewallWorkbookWhite5.PNG",
- "AzureFirewallWorkbookBlack5.PNG"
- ],
- "version": "1.0.0",
- "title": "Azure Firewall Structured Logs",
- "templateRelativePath": "AzureFirewallWorkbook-StructuredLogs.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureDDoSStandardProtection",
- "logoFileName": "AzDDoS.svg",
- "description": "This workbook visualizes security-relevant Azure DDoS events across several filterable panels. Offering a summary tab, metrics and a investigate tabs across multiple workspaces.",
- "dataTypesDependencies": [
- "AzureDiagnostics"
- ],
- "dataConnectorsDependencies": [
- "DDOS"
- ],
- "previewImagesFileNames": [
- "AzureDDoSWhite1.PNG",
- "AzureDDoSBlack1.PNG",
- "AzureDDoSWhite2.PNG",
- "AzureDDoSBlack2.PNG",
- "AzureDDoSWhite2.PNG",
- "AzureDDoSBlack2.PNG"
- ],
- "version": "1.0.2",
- "title": "Azure DDoS Protection Workbook",
- "templateRelativePath": "AzDDoSStandardWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "MicrosoftCloudAppSecurityWorkbook",
- "logoFileName": "Microsoft_logo.svg",
- "description": "Using this workbook, you can identify which cloud apps are being used in your organization, gain insights from usage trends and drill down to a specific user and application.",
- "dataTypesDependencies": [
- "McasShadowItReporting"
- ],
- "dataConnectorsDependencies": [
- "MicrosoftCloudAppSecurity"
- ],
- "previewImagesFileNames": [
- "McasDiscoveryBlack.png",
- "McasDiscoveryWhite.png"
- ],
- "version": "1.2.0",
- "title": "Microsoft Cloud App Security - discovery logs",
- "templateRelativePath": "MicrosoftCloudAppSecurity.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "F5BIGIPSytemMetricsWorkbook",
- "logoFileName": "f5_logo.svg",
- "description": "Gain insight into F5 BIG-IP health and performance. This workbook provides visibility of various metrics including CPU, memory, connectivity, throughput and disk utilization.",
- "dataTypesDependencies": [
- "F5Telemetry_system_CL",
- "F5Telemetry_AVR_CL"
- ],
- "dataConnectorsDependencies": [
- "F5BigIp"
- ],
- "previewImagesFileNames": [
- "F5SMBlack.png",
- "F5SMWhite.png"
- ],
- "version": "1.1.0",
- "title": "F5 BIG-IP System Metrics",
- "templateRelativePath": "F5BIGIPSystemMetrics.json",
- "subtitle": "",
- "provider": "F5 Networks"
- },
- {
- "workbookKey": "F5NetworksWorkbook",
- "logoFileName": "f5_logo.svg",
- "description": "Gain insights into F5 BIG-IP Application Security Manager (ASM), by analyzing traffic and activities.\nThis workbook provides insight into F5's web application firewall events and identifies attack traffic patterns across multiple ASM instances as well as overall BIG-IP health.",
- "dataTypesDependencies": [
- "F5Telemetry_LTM_CL",
- "F5Telemetry_system_CL",
- "F5Telemetry_ASM_CL"
- ],
- "dataConnectorsDependencies": [
- "F5BigIp"
- ],
- "previewImagesFileNames": [
- "F5White.png",
- "F5Black.png"
- ],
- "version": "1.1.0",
- "title": "F5 BIG-IP ASM",
- "templateRelativePath": "F5Networks.json",
- "subtitle": "",
- "provider": "F5 Networks"
- },
- {
- "workbookKey": "AzureNetworkWatcherWorkbook",
- "logoFileName": "networkwatcher_logo.svg",
- "description": "Gain deeper understanding of your organization's Azure network traffic by analyzing, and correlating Network Security Group flow logs. \nYou can trace malicious traffic flows, and drill down into their protocols, source and destination IP addresses, machines, countries, and subnets. \nThis workbook also helps you protect your network by identifying weak NSG rules.",
- "dataTypesDependencies": [
- "AzureNetworkAnalytics_CL"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "AzureNetworkWatcherWhite.png",
- "AzureNetworkWatcherBlack.png"
- ],
- "version": "1.1.0",
- "title": "Azure Network Watcher",
- "templateRelativePath": "AzureNetworkWatcher.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ZscalerFirewallWorkbook",
- "logoFileName": "zscaler_logo.svg",
- "description": "Gain insights into your ZIA cloud firewall logs by connecting to Microsoft Sentinel.\nThe Zscaler firewall overview workbook provides an overview and ability to drill down into all cloud firewall activity in your Zscaler instance including non-web related networking events, security events, firewall rules, and bandwidth consumption",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "Zscaler"
- ],
- "previewImagesFileNames": [
- "ZscalerFirewallWhite1.png",
- "ZscalerFirewallBlack1.png",
- "ZscalerFirewallWhite2.png",
- "ZscalerFirewallBlack2.png"
- ],
- "version": "1.1.0",
- "title": "Zscaler Firewall",
- "templateRelativePath": "ZscalerFirewall.json",
- "subtitle": "",
- "provider": "Zscaler"
- },
- {
- "workbookKey": "ZscalerWebOverviewWorkbook",
- "logoFileName": "zscaler_logo.svg",
- "description": "Gain insights into your ZIA web logs by connecting to Microsoft Sentinel.\nThe Zscaler web overview workbook provides a bird's eye view and ability to drill down into all the security and networking events related to web transactions, types of devices, and bandwidth consumption.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "Zscaler"
- ],
- "previewImagesFileNames": [
- "ZscalerWebOverviewWhite.png",
- "ZscalerWebOverviewBlack.png"
- ],
- "version": "1.1.0",
- "title": "Zscaler Web Overview",
- "templateRelativePath": "ZscalerWebOverview.json",
- "subtitle": "",
- "provider": "Zscaler"
- },
- {
- "workbookKey": "ZscalerThreatsOverviewWorkbook",
- "logoFileName": "zscaler_logo.svg",
- "description": "Gain insights into threats blocked by Zscaler Internet access on your network.\nThe Zscaler threat overview workbook shows your entire threat landscape including blocked malware, IPS/AV rules, and blocked cloud apps. Threats are displayed by threat categories, filetypes, inbound vs outbound threats, usernames, user location, and more.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "Zscaler"
- ],
- "previewImagesFileNames": [
- "ZscalerThreatsWhite.png",
- "ZscalerThreatsBlack.png"
- ],
- "version": "1.2.0",
- "title": "Zscaler Threats",
- "templateRelativePath": "ZscalerThreats.json",
- "subtitle": "",
- "provider": "Zscaler"
- },
- {
- "workbookKey": "ZscalerOffice365AppsWorkbook",
- "logoFileName": "zscaler_logo.svg",
- "description": "Gain insights into Office 365 use on your network.\nThe Zscaler Office 365 overview workbook shows you the Microsoft apps running on your network and their individual bandwidth consumption. It also helps identify phishing attempts in which attackers disguised themselves as Microsoft services.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "Zscaler"
- ],
- "previewImagesFileNames": [
- "ZscalerOffice365White.png",
- "ZscalerOffice365Black.png"
- ],
- "version": "1.1.0",
- "title": "Zscaler Office365 Apps",
- "templateRelativePath": "ZscalerOffice365Apps.json",
- "subtitle": "",
- "provider": "Zscaler"
- },
- {
- "workbookKey": "InsecureProtocolsWorkbook",
- "logoFileName": "Microsoft_logo.svg",
- "description": "Gain insights into insecure protocol traffic by collecting and analyzing security events from Microsoft products.\nYou can view analytics and quickly identify use of weak authentication as well as sources of legacy protocol traffic, like NTLM and SMBv1.\nYou will also have the ability to monitor use of weak ciphers, allowing you to find weak spots in your organization's security.",
- "dataTypesDependencies": [
- "SecurityEvent",
- "Event",
- "SigninLogs"
- ],
- "dataConnectorsDependencies": [
- "SecurityEvents",
- "AzureActiveDirectory",
- "WindowsSecurityEvents"
- ],
- "previewImagesFileNames": [
- "InsecureProtocolsWhite1.png",
- "InsecureProtocolsBlack1.png",
- "InsecureProtocolsWhite2.png",
- "InsecureProtocolsBlack2.png"
- ],
- "version": "2.1.0",
- "title": "Insecure Protocols",
- "templateRelativePath": "InsecureProtocols.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AmazonWebServicesNetworkActivitiesWorkbook",
- "logoFileName": "amazon_web_services_Logo.svg",
- "description": "Gain insights into AWS network related resource activities, including the creation, update, and deletions of security groups, network ACLs and routes, gateways, elastic load balancers, VPCs, subnets, and network interfaces.",
- "dataTypesDependencies": [
- "AWSCloudTrail"
- ],
- "dataConnectorsDependencies": [
- "AWS"
- ],
- "previewImagesFileNames": [
- "AwsNetworkActivitiesWhite.png",
- "AwsNetworkActivitiesBlack.png"
- ],
- "version": "1.0.0",
- "title": "AWS Network Activities",
- "templateRelativePath": "AmazonWebServicesNetworkActivities.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AmazonWebServicesUserActivitiesWorkbook",
- "logoFileName": "amazon_web_services_Logo.svg",
- "description": "Gain insights into AWS user activities, including failed sign-in attempts, IP addresses, regions, user agents, and identity types, as well as potential malicious user activities with assumed roles.",
- "dataTypesDependencies": [
- "AWSCloudTrail"
- ],
- "dataConnectorsDependencies": [
- "AWS"
- ],
- "previewImagesFileNames": [
- "AwsUserActivitiesWhite.png",
- "AwsUserActivitiesBlack.png"
- ],
- "version": "1.0.0",
- "title": "AWS User Activities",
- "templateRelativePath": "AmazonWebServicesUserActivities.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "TrendMicroDeepSecurityAttackActivityWorkbook",
- "logoFileName": "trendmicro_logo.svg",
- "description": "Visualize and gain insights into the MITRE ATT&CK related activity detected by Trend Micro Deep Security.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "TrendMicro"
- ],
- "previewImagesFileNames": [
- "TrendMicroDeepSecurityAttackActivityWhite.png",
- "TrendMicroDeepSecurityAttackActivityBlack.png"
- ],
- "version": "1.0.0",
- "title": "Trend Micro Deep Security ATT&CK Related Activity",
- "templateRelativePath": "TrendMicroDeepSecurityAttackActivity.json",
- "subtitle": "",
- "provider": "Trend Micro"
- },
- {
- "workbookKey": "TrendMicroDeepSecurityOverviewWorkbook",
- "logoFileName": "trendmicro_logo.svg",
- "description": "Gain insights into your Trend Micro Deep Security security event data by visualizing your Deep Security Anti-Malware, Firewall, Integrity Monitoring, Intrusion Prevention, Log Inspection, and Web Reputation event data.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "TrendMicro"
- ],
- "previewImagesFileNames": [
- "TrendMicroDeepSecurityOverviewWhite1.png",
- "TrendMicroDeepSecurityOverviewBlack1.png",
- "TrendMicroDeepSecurityOverviewWhite2.png",
- "TrendMicroDeepSecurityOverviewBlack2.png"
- ],
- "version": "1.0.0",
- "title": "Trend Micro Deep Security Events",
- "templateRelativePath": "TrendMicroDeepSecurityOverview.json",
- "subtitle": "",
- "provider": "Trend Micro"
- },
- {
- "workbookKey": "ExtraHopDetectionSummaryWorkbook",
- "logoFileName": "extrahop_logo.svg",
- "description": "Gain insights into ExtraHop Reveal(x) detections by analyzing traffic and activities.\nThis workbook provides an overview of security detections in your organization's network, including high-risk detections and top participants.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "ExtraHopNetworks"
- ],
- "previewImagesFileNames": [
- "ExtrahopWhite.png",
- "ExtrahopBlack.png"
- ],
- "version": "1.0.0",
- "title": "ExtraHop",
- "templateRelativePath": "ExtraHopDetectionSummary.json",
- "subtitle": "",
- "provider": "ExtraHop Networks"
- },
- {
- "workbookKey": "BarracudaCloudFirewallWorkbook",
- "logoFileName": "barracuda_logo.svg",
- "description": "Gain insights into your Barracuda CloudGen Firewall by analyzing firewall operations and events.\nThis workbook provides insights into rule enforcement, network activities, including number of connections, top users, and helps you identify applications that are popular on your network.",
- "dataTypesDependencies": [
- "CommonSecurityLog",
- "Syslog"
- ],
- "dataConnectorsDependencies": [
- "BarracudaCloudFirewall"
- ],
- "previewImagesFileNames": [
- "BarracudaWhite1.png",
- "BarracudaBlack1.png",
- "BarracudaWhite2.png",
- "BarracudaBlack2.png"
- ],
- "version": "1.0.0",
- "title": "Barracuda CloudGen FW",
- "templateRelativePath": "Barracuda.json",
- "subtitle": "",
- "provider": "Barracuda"
- },
- {
- "workbookKey": "CitrixWorkbook",
- "logoFileName": "citrix_logo.svg",
- "description": "Citrix Analytics for Security aggregates and correlates information across network traffic, users, files and endpoints in Citrix environments. This generates actionable insights that enable Citrix administrators and security teams to remediate user security threats through automation while optimizing IT operations. Machine learning and artificial intelligence empowers Citrix Analytics for Security to identify and take automated action to prevent data exfiltration. While delivered as a cloud service, Citrix Analytics for Security can generate insights from resources located on-premises, in the cloud, or in hybrid architectures. The Citrix Analytics Workbook further enhances the value of both your Citrix Analytics for Security and Microsoft Sentinel. The Workbook enables you to integrate data sources together, helping you gain even richer insights. It also gives Security Operations (SOC) teams the ability to correlate data from disparate logs, helping you identify and proactively remediate security risk quickly. Additionally, valuable dashboards that were unique to the Citrix Analytics for Security can now be implemented in Sentinel. You can also create new custom Workbooks that were not previously available, helping extend the value of both investments.",
- "dataTypesDependencies": [
- "CitrixAnalytics_userProfile_CL",
- "CitrixAnalytics_riskScoreChange_CL",
- "CitrixAnalytics_indicatorSummary_CL",
- "CitrixAnalytics_indicatorEventDetails_CL"
- ],
- "dataConnectorsDependencies": [
- "Citrix"
- ],
- "previewImagesFileNames": [
- "CitrixWhite.png",
- "CitrixBlack.png"
- ],
- "version": "2.1.0",
- "title": "Citrix Analytics",
- "templateRelativePath": "Citrix.json",
- "subtitle": "",
- "provider": "Citrix Systems Inc."
- },
- {
- "workbookKey": "OneIdentityWorkbook",
- "logoFileName": "oneIdentity_logo.svg",
- "description": "This simple workbook gives an overview of sessions going through your SafeGuard for Privileged Sessions device.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "OneIdentity"
- ],
- "previewImagesFileNames": [
- "OneIdentityWhite.png",
- "OneIdentityBlack.png"
- ],
- "version": "1.0.0",
- "title": "One Identity",
- "templateRelativePath": "OneIdentity.json",
- "subtitle": "",
- "provider": "One Identity LLC."
- },
- {
- "workbookKey": "SecurityStatusWorkbook",
- "logoFileName": "",
- "description": "This workbook gives an overview of Security Settings for VMs and Azure Arc.",
- "dataTypesDependencies": [
- "CommonSecurityLog",
- "SecurityEvent",
- "Syslog"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "AzureSentinelSecurityStatusBlack.png",
- "AzureSentinelSecurityStatusWhite.png"
- ],
- "version": "1.3.0",
- "title": "Security Status",
- "templateRelativePath": "SecurityStatus.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureSentinelSecurityAlertsWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Security Alerts dashboard for alerts in your Microsoft Sentinel environment.",
- "dataTypesDependencies": [
- "SecurityAlert"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "AzureSentinelSecurityAlertsWhite.png",
- "AzureSentinelSecurityAlertsBlack.png"
- ],
- "version": "1.1.0",
- "title": "Security Alerts",
- "templateRelativePath": "AzureSentinelSecurityAlerts.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "SquadraTechnologiesSecRMMWorkbook",
- "logoFileName": "SquadraTechnologiesLogo.svg",
- "description": "This workbook gives an overview of security data for removable storage activity such as USB thumb drives and USB connected mobile devices.",
- "dataTypesDependencies": [
- "secRMM_CL"
- ],
- "dataConnectorsDependencies": [
- "SquadraTechnologiesSecRmm"
- ],
- "previewImagesFileNames": [
- "SquadraTechnologiesSecRMMWhite.PNG",
- "SquadraTechnologiesSecRMMBlack.PNG"
- ],
- "version": "1.0.0",
- "title": "Squadra Technologies SecRMM - USB removable storage security",
- "templateRelativePath": "SquadraTechnologiesSecRMM.json",
- "subtitle": "",
- "provider": "Squadra Technologies"
- },
- {
- "workbookKey": "IoT-Alerts",
- "logoFileName": "IoTIcon.svg",
- "description": "Gain insights into your IoT data workloads from Azure IoT Hub managed deployments, monitor alerts across all your IoT Hub deployments, detect devices at risk and act upon potential threats.",
- "dataTypesDependencies": [
- "SecurityAlert"
- ],
- "dataConnectorsDependencies": [
- "IoT"
- ],
- "previewImagesFileNames": [
- "IOTBlack1.png",
- "IOTWhite1.png"
- ],
- "version": "1.2.0",
- "title": "Azure Defender for IoT Alerts",
- "templateRelativePath": "IOT_Alerts.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "IoTAssetDiscovery",
- "logoFileName": "IoTIcon.svg",
- "description": "IoT Devices asset discovery from Firewall logs By Azure Defender for IoT",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "Fortinet"
- ],
- "previewImagesFileNames": [
- "workbook-iotassetdiscovery-screenshot-Black.PNG",
- "workbook-iotassetdiscovery-screenshot-White.PNG"
- ],
- "version": "1.0.0",
- "title": "IoT Asset Discovery",
- "templateRelativePath": "IoTAssetDiscovery.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ForcepointCASBWorkbook",
- "logoFileName": "FP_Green_Emblem_RGB-01.svg",
- "description": "Get insights on user risk with the Forcepoint CASB (Cloud Access Security Broker) workbook.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "ForcepointCasb"
- ],
- "previewImagesFileNames": [
- "ForcepointCASBWhite.png",
- "ForcepointCASBBlack.png"
- ],
- "version": "1.0.0",
- "title": "Forcepoint Cloud Access Security Broker (CASB)",
- "templateRelativePath": "ForcepointCASB.json",
- "subtitle": "",
- "provider": "Forcepoint"
- },
- {
- "workbookKey": "ForcepointNGFWWorkbook",
- "logoFileName": "FP_Green_Emblem_RGB-01.svg",
- "description": "Get insights on firewall activities with the Forcepoint NGFW (Next Generation Firewall) workbook.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "ForcepointNgfw"
- ],
- "previewImagesFileNames": [
- "ForcepointNGFWWhite.png",
- "ForcepointNGFWBlack.png"
- ],
- "version": "1.0.0",
- "title": "Forcepoint Next Generation Firewall (NGFW)",
- "templateRelativePath": "ForcepointNGFW.json",
- "subtitle": "",
- "provider": "Forcepoint"
- },
- {
- "workbookKey": "ForcepointDLPWorkbook",
- "logoFileName": "FP_Green_Emblem_RGB-01.svg",
- "description": "Get insights on DLP incidents with the Forcepoint DLP (Data Loss Prevention) workbook.",
- "dataTypesDependencies": [
- "ForcepointDLPEvents_CL"
- ],
- "dataConnectorsDependencies": [
- "ForcepointDlp"
- ],
- "previewImagesFileNames": [
- "ForcepointDLPWhite.png",
- "ForcepointDLPBlack.png"
- ],
- "version": "1.0.0",
- "title": "Forcepoint Data Loss Prevention (DLP)",
- "templateRelativePath": "ForcepointDLP.json",
- "subtitle": "",
- "provider": "Forcepoint"
- },
- {
- "workbookKey": "ZimperiumMTDWorkbook",
- "logoFileName": "ZIMPERIUM-logo_square2.svg",
- "description": "This workbook provides insights on Zimperium Mobile Threat Defense (MTD) threats and mitigations.",
- "dataTypesDependencies": [
- "ZimperiumThreatLog_CL",
- "ZimperiumMitigationLog_CL"
- ],
- "dataConnectorsDependencies": [
- "ZimperiumMtdAlerts"
- ],
- "previewImagesFileNames": [
- "ZimperiumWhite.png",
- "ZimperiumBlack.png"
- ],
- "version": "1.0.0",
- "title": "Zimperium Mobile Threat Defense (MTD)",
- "templateRelativePath": "ZimperiumWorkbooks.json",
- "subtitle": "",
- "provider": "Zimperium"
- },
- {
- "workbookKey": "AzureAuditActivityAndSigninWorkbook",
- "logoFileName": "azureactivedirectory_logo.svg",
- "description": "Gain insights into Azure Active Directory Audit, Activity and Signins with one workbook. This workbook can be used by Security and Azure administrators.",
- "dataTypesDependencies": [
- "AzureActivity",
- "AuditLogs",
- "SigninLogs"
- ],
- "dataConnectorsDependencies": [
- "AzureActiveDirectory"
- ],
- "previewImagesFileNames": [
- "AzureAuditActivityAndSigninWhite1.png",
- "AzureAuditActivityAndSigninWhite2.png",
- "AzureAuditActivityAndSigninBlack1.png",
- "AzureAuditActivityAndSigninBlack2.png"
- ],
- "version": "1.2.0",
- "title": "Azure AD Audit, Activity and Sign-in logs",
- "templateRelativePath": "AzureAuditActivityAndSignin.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "WindowsFirewall",
- "logoFileName": "Microsoft_logo.svg",
- "description": "Gain insights into Windows Firewall logs in combination with security and Azure signin logs",
- "dataTypesDependencies": [
- "WindowsFirewall",
- "SecurityEvent",
- "SigninLogs"
- ],
- "dataConnectorsDependencies": [
- "SecurityEvents",
- "WindowsFirewall",
- "WindowsSecurityEvents"
- ],
- "previewImagesFileNames": [
- "WindowsFirewallWhite1.png",
- "WindowsFirewallWhite2.png",
- "WindowsFirewallBlack1.png",
- "WindowsFirewallBlack2.png"
- ],
- "version": "1.0.0",
- "title": "Windows Firewall",
- "templateRelativePath": "WindowsFirewall.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "EventAnalyzerwWorkbook",
- "logoFileName": "",
- "description": "The Event Analyzer workbook allows to explore, audit and speed up analysis of Windows Event Logs, including all event details and attributes, such as security, application, system, setup, directory service, DNS and others.",
- "dataTypesDependencies": [
- "SecurityEvent"
- ],
- "dataConnectorsDependencies": [
- "SecurityEvents",
- "WindowsSecurityEvents"
- ],
- "previewImagesFileNames": [
- "EventAnalyzer-Workbook-White.png",
- "EventAnalyzer-Workbook-Black.png"
- ],
- "version": "1.0.0",
- "title": "Event Analyzer",
- "templateRelativePath": "EventAnalyzer.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "ASC-ComplianceandProtection",
- "logoFileName": "",
- "description": "Gain insight into regulatory compliance, alert trends, security posture, and more with this workbook based on Azure Security Center data.",
- "dataTypesDependencies": [
- "SecurityAlert",
- "ProtectionStatus",
- "SecurityRecommendation",
- "SecurityBaseline",
- "SecurityBaselineSummary",
- "Update",
- "ConfigurationChange"
- ],
- "dataConnectorsDependencies": [
- "AzureSecurityCenter"
- ],
- "previewImagesFileNames": [
- "ASCCaPBlack.png",
- "ASCCaPWhite.png"
- ],
- "version": "1.2.0",
- "title": "ASC Compliance and Protection",
- "templateRelativePath": "ASC-ComplianceandProtection.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "AIVectraDetectWorkbook",
- "logoFileName": "AIVectraDetect.svg",
- "description": "Start investigating network attacks surfaced by Vectra Detect directly from Sentinel. View critical hosts, accounts, campaigns and detections. Also monitor Vectra system health and audit logs.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "AIVectraDetect"
- ],
- "previewImagesFileNames": [
- "AIVectraDetectWhite1.png",
- "AIVectraDetectBlack1.png"
- ],
- "version": "1.1.1",
- "title": "Vectra AI Detect",
- "templateRelativePath": "AIVectraDetectWorkbook.json",
- "subtitle": "",
- "provider": "Vectra AI"
- },
- {
- "workbookKey": "Perimeter81OverviewWorkbook",
- "logoFileName": "Perimeter81_Logo.svg",
- "description": "Gain insights and comprehensive monitoring into your Perimeter 81 account by analyzing activities.",
- "dataTypesDependencies": [
- "Perimeter81_CL"
- ],
- "dataConnectorsDependencies": [
- "Perimeter81ActivityLogs"
- ],
- "previewImagesFileNames": [
- "Perimeter81OverviewWhite1.png",
- "Perimeter81OverviewBlack1.png",
- "Perimeter81OverviewWhite2.png",
- "Perimeter81OverviewBlack2.png"
- ],
- "version": "1.0.0",
- "title": "Perimeter 81 Overview",
- "templateRelativePath": "Perimeter81OverviewWorkbook.json",
- "subtitle": "",
- "provider": "Perimeter 81"
- },
- {
- "workbookKey": "SymantecProxySGWorkbook",
- "logoFileName": "symantec_logo.svg",
- "description": "Gain insight into Symantec ProxySG by analyzing, collecting and correlating proxy data.\nThis workbook provides visibility into ProxySG Access logs",
- "dataTypesDependencies": [
- "Syslog"
- ],
- "dataConnectorsDependencies": [
- "SymantecProxySG"
- ],
- "previewImagesFileNames": [
- "SymantecProxySGWhite.png",
- "SymantecProxySGBlack.png"
- ],
- "version": "1.0.0",
- "title": "Symantec ProxySG",
- "templateRelativePath": "SymantecProxySG.json",
- "subtitle": "",
- "provider": "Symantec"
- },
- {
- "workbookKey": "IllusiveASMWorkbook",
- "logoFileName": "illusive_logo_workbook.svg",
- "description": "Gain insights into your organization's Cyber Hygiene and Attack Surface risk.\nIllusive ASM automates discovery and clean-up of credential violations, allows drill-down inspection of pathways to critical assets, and provides risk insights that inform intelligent decision-making to reduce attacker mobility.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "illusiveAttackManagementSystem"
- ],
- "previewImagesFileNames": [
- "IllusiveASMWhite.png",
- "IllusiveASMBlack.png"
- ],
- "version": "1.0.0",
- "title": "Illusive ASM Dashboard",
- "templateRelativePath": "IllusiveASM.json",
- "subtitle": "",
- "provider": "Illusive"
- },
- {
- "workbookKey": "IllusiveADSWorkbook",
- "logoFileName": "illusive_logo_workbook.svg",
- "description": "Gain insights into unauthorized lateral movement in your organization's network.\nIllusive ADS is designed to paralyzes attackers and eradicates in-network threats by creating a hostile environment for the attackers across all the layers of the attack surface.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "illusiveAttackManagementSystem"
- ],
- "previewImagesFileNames": [
- "IllusiveADSWhite.png",
- "IllusiveADSBlack.png"
- ],
- "version": "1.0.0",
- "title": "Illusive ADS Dashboard",
- "templateRelativePath": "IllusiveADS.json",
- "subtitle": "",
- "provider": "Illusive"
- },
- {
- "workbookKey": "PulseConnectSecureWorkbook",
- "logoFileName": "",
- "description": "Gain insight into Pulse Secure VPN by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into user VPN activities",
- "dataTypesDependencies": [
- "Syslog"
- ],
- "dataConnectorsDependencies": [
- "PulseConnectSecure"
- ],
- "previewImagesFileNames": [
- "PulseConnectSecureWhite.png",
- "PulseConnectSecureBlack.png"
- ],
- "version": "1.0.0",
- "title": "Pulse Connect Secure",
- "templateRelativePath": "PulseConnectSecure.json",
- "subtitle": "",
- "provider": "Pulse Secure"
- },
- {
- "workbookKey": "InfobloxNIOSWorkbook",
- "logoFileName": "infoblox_logo.svg",
- "description": "Gain insight into Infoblox NIOS by analyzing, collecting and correlating DHCP and DNS data.\nThis workbook provides visibility into DHCP and DNS traffic",
- "dataTypesDependencies": [
- "Syslog"
- ],
- "dataConnectorsDependencies": [
- "InfobloxNIOS"
- ],
- "previewImagesFileNames": [],
- "version": "1.1.0",
- "title": "Infoblox NIOS",
- "templateRelativePath": "Infoblox-Workbook-V2.json",
- "subtitle": "",
- "provider": "Infoblox"
- },
- {
- "workbookKey": "SymantecVIPWorkbook",
- "logoFileName": "symantec_logo.svg",
- "description": "Gain insight into Symantec VIP by analyzing, collecting and correlating strong authentication data.\nThis workbook provides visibility into user authentications",
- "dataTypesDependencies": [
- "Syslog"
- ],
- "dataConnectorsDependencies": [
- "SymantecVIP"
- ],
- "previewImagesFileNames": [
- "SymantecVIPWhite.png",
- "SymantecVIPBlack.png"
- ],
- "version": "1.0.0",
- "title": "Symantec VIP",
- "templateRelativePath": "SymantecVIP.json",
- "subtitle": "",
- "provider": "Symantec"
- },
- {
- "workbookKey": "ProofPointTAPWorkbook",
- "logoFileName": "proofpointlogo.svg",
- "description": "Gain extensive insight into Proofpoint Targeted Attack Protection (TAP) by analyzing, collecting and correlating TAP log events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked",
- "dataTypesDependencies": [
- "ProofPointTAPMessagesBlocked_CL",
- "ProofPointTAPMessagesDelivered_CL",
- "ProofPointTAPClicksPermitted_CL",
- "ProofPointTAPClicksBlocked_CL"
- ],
- "dataConnectorsDependencies": [
- "ProofpointTAP"
- ],
- "previewImagesFileNames": [
- "ProofpointTAPWhite.png",
- "ProofpointTAPBlack.png"
- ],
- "version": "1.0.0",
- "title": "Proofpoint TAP",
- "templateRelativePath": "ProofpointTAP.json",
- "subtitle": "",
- "provider": "Proofpoint"
- },
- {
- "workbookKey": "QualysVMV2Workbook",
- "logoFileName": "qualys_logo.svg",
- "description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans",
- "dataTypesDependencies": [
- "QualysHostDetectionV2_CL"
- ],
- "dataConnectorsDependencies": [
- "QualysVulnerabilityManagement"
- ],
- "previewImagesFileNames": [
- "QualysVMWhite.png",
- "QualysVMBlack.png"
- ],
- "version": "1.0.0",
- "title": "Qualys Vulnerability Management",
- "templateRelativePath": "QualysVMv2.json",
- "subtitle": "",
- "provider": "Qualys"
- },
- {
- "workbookKey": "GitHubSecurityWorkbook",
- "logoFileName": "GitHub.svg",
- "description": "Gain insights to GitHub activities that may be interesting for security.",
- "dataTypesDependencies": [
- "Github_CL",
- "GitHubRepoLogs_CL"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "GitHubSecurityWhite.png",
- "GitHubSecurityBlack.png"
- ],
- "version": "1.0.0",
- "title": "GitHub Security",
- "templateRelativePath": "GitHubSecurityWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "VisualizationDemo",
- "logoFileName": "",
- "description": "Learn and explore the many ways of displaying information within Microsoft Sentinel workbooks",
- "dataTypesDependencies": [
- "SecurityAlert"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "VisualizationDemoBlack.png",
- "VisualizationDemoWhite.png"
- ],
- "version": "1.0.0",
- "title": "Visualizations Demo",
- "templateRelativePath": "VisualizationDemo.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "SophosXGFirewallWorkbook",
- "logoFileName": "sophos_logo.svg",
- "description": "Gain insight into Sophos XG Firewall by analyzing, collecting and correlating firewall data.\nThis workbook provides visibility into network traffic",
- "dataTypesDependencies": [
- "Syslog"
- ],
- "dataConnectorsDependencies": [
- "SophosXGFirewall"
- ],
- "previewImagesFileNames": [
- "SophosXGFirewallWhite.png",
- "SophosXGFirewallBlack.png"
- ],
- "version": "1.0.0",
- "title": "Sophos XG Firewall",
- "templateRelativePath": "SophosXGFirewall.json",
- "subtitle": "",
- "provider": "Sophos"
- },
- {
- "workbookKey": "SysmonThreatHuntingWorkbook",
- "logoFileName": "",
- "description": "Simplify your threat hunts using Sysmon data mapped to MITRE ATT&CK data. This workbook gives you the ability to drilldown into system activity based on known ATT&CK techniques as well as other threat hunting entry points such as user activity, network connections or virtual machine Sysmon events.\nPlease note that for this workbook to work you must have deployed Sysmon on your virtual machines in line with the instructions at https://github.com/BlueTeamLabs/sentinel-attack/wiki/Onboarding-sysmon-data-to-Azure-Sentinel",
- "dataTypesDependencies": [
- "Event"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "SysmonThreatHuntingWhite1.png",
- "SysmonThreatHuntingBlack1.png"
- ],
- "version": "1.4.0",
- "title": "Sysmon Threat Hunting",
- "templateRelativePath": "SysmonThreatHunting.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "WebApplicationFirewallWAFTypeEventsWorkbook",
- "logoFileName": "webapplicationfirewall(WAF)_logo.svg",
- "description": "Gain insights into your organization's Azure web application firewall (WAF) across various services such as Azure Front Door Service and Application Gateway. You can view event triggers, full messages, attacks over time, among other data. Several aspects of the workbook are interactable to allow users to further understand their data",
- "dataTypesDependencies": [
- "AzureDiagnostics"
- ],
- "dataConnectorsDependencies": [
- "WAF"
- ],
- "previewImagesFileNames": [
- "WAFFirewallWAFTypeEventsBlack1.PNG",
- "WAFFirewallWAFTypeEventsBlack2.PNG",
- "WAFFirewallWAFTypeEventsBlack3.PNG",
- "WAFFirewallWAFTypeEventsBlack4.PNG",
- "WAFFirewallWAFTypeEventsWhite1.png",
- "WAFFirewallWAFTypeEventsWhite2.PNG",
- "WAFFirewallWAFTypeEventsWhite3.PNG",
- "WAFFirewallWAFTypeEventsWhite4.PNG"
- ],
- "version": "1.1.0",
- "title": "Microsoft Web Application Firewall (WAF) - Azure WAF",
- "templateRelativePath": "WebApplicationFirewallWAFTypeEvents.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "OrcaAlertsOverviewWorkbook",
- "logoFileName": "Orca_logo.svg",
- "description": "A visualized overview of Orca security alerts.\nExplore, analize and learn about your security posture using Orca alerts Overview",
- "dataTypesDependencies": [
- "OrcaAlerts_CL"
- ],
- "dataConnectorsDependencies": [
- "OrcaSecurityAlerts"
- ],
- "previewImagesFileNames": [
- "OrcaAlertsWhite.png",
- "OrcaAlertsBlack.png"
- ],
- "version": "1.1.0",
- "title": "Orca alerts overview",
- "templateRelativePath": "OrcaAlerts.json",
- "subtitle": "",
- "provider": "Orca Security"
- },
- {
- "workbookKey": "CyberArkWorkbook",
- "logoFileName": "CyberArk_Logo.svg",
- "description": "The CyberArk Syslog connector allows you to easily connect all your CyberArk security solution logs with your Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. Integration between CyberArk and Microsoft Sentinel makes use of the CEF Data Connector to properly parse and display CyberArk Syslog messages.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "CyberArk"
- ],
- "previewImagesFileNames": [
- "CyberArkActivitiesWhite.PNG",
- "CyberArkActivitiesBlack.PNG"
- ],
- "version": "1.1.0",
- "title": "CyberArk EPV Events",
- "templateRelativePath": "CyberArkEPV.json",
- "subtitle": "",
- "provider": "CyberArk"
- },
- {
- "workbookKey": "UserEntityBehaviorAnalyticsWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Identify compromised users and insider threats using User and Entity Behavior Analytics. Gain insights into anomalous user behavior from baselines learned from behavior patterns",
- "dataTypesDependencies": [
- "BehaviorAnalytics"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "UserEntityBehaviorAnalyticsBlack1.png",
- "UserEntityBehaviorAnalyticsWhite1.png"
- ],
- "version": "1.2.0",
- "title": "User And Entity Behavior Analytics",
- "templateRelativePath": "UserEntityBehaviorAnalytics.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "CitrixWAF",
- "logoFileName": "citrix_logo.svg",
- "description": "Gain insight into the Citrix WAF logs",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "CitrixWAF"
- ],
- "previewImagesFileNames": [
- "CitrixWAFBlack.png",
- "CitrixWAFWhite.png"
- ],
- "version": "1.0.0",
- "title": "Citrix WAF (Web App Firewall)",
- "templateRelativePath": "CitrixWAF.json",
- "subtitle": "",
- "provider": "Citrix Systems Inc."
- },
- {
- "workbookKey": "UnifiSGWorkbook",
- "logoFileName": "",
- "description": "Gain insights into Unifi Security Gateways analyzing traffic and activities.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "UnifiSGBlack.png",
- "UnifiSGWhite.png"
- ],
- "version": "1.0.0",
- "title": "Unifi Security Gateway",
- "templateRelativePath": "UnfiSG.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "UnifiSGNetflowWorkbook",
- "logoFileName": "",
- "description": "Gain insights into Unifi Security Gateways analyzing traffic and activities using Netflow.",
- "dataTypesDependencies": [
- "netflow_CL"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "UnifiSGNetflowBlack.png",
- "UnifiSGNetflowWhite.png"
- ],
- "version": "1.0.0",
- "title": "Unifi Security Gateway - NetFlow",
- "templateRelativePath": "UnfiSGNetflow.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "NormalizedNetworkEventsWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "See insights on multiple networking appliances and other network sessions, that have been parsed or mapped to the normalized networking sessions table. Note this requires enabling parsers for the different products - to learn more, visit https://aka.ms/sentinelnormalizationdocs",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "NormalizedNetworkEventsWhite.png",
- "NormalizedNetworkEventsBlack.png"
- ],
- "version": "1.0.0",
- "title": "Normalized network events",
- "templateRelativePath": "NormalizedNetworkEvents.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "WorkspaceAuditingWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Workspace auditing report\r\nUse this report to understand query runs across your workspace.",
- "dataTypesDependencies": [
- "LAQueryLogs"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "WorkspaceAuditingWhite.png",
- "WorkspaceAuditingBlack.png"
- ],
- "version": "1.0.0",
- "title": "Workspace audit",
- "templateRelativePath": "WorkspaceAuditing.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "MITREATTACKWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Workbook to showcase MITRE ATT&CK Coverage for Microsoft Sentinel",
- "dataTypesDependencies": [
- "SecurityAlert"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "MITREATTACKWhite1.PNG",
- "MITREATTACKWhite2.PNG",
- "MITREATTACKBlack1.PNG",
- "MITREATTACKBlack2.PNG"
- ],
- "version": "1.0.1",
- "title": "MITRE ATT&CK Workbook",
- "templateRelativePath": "MITREAttack.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "BETTERMTDWorkbook",
- "logoFileName": "BETTER_MTD_logo.svg",
- "description": "Workbook using the BETTER Mobile Threat Defense (MTD) connector, to give insights into your mobile devices, installed application and overall device security posture.",
- "dataTypesDependencies": [
- "BetterMTDDeviceLog_CL",
- "BetterMTDAppLog_CL",
- "BetterMTDIncidentLog_CL",
- "BetterMTDNetflowLog_CL"
- ],
- "dataConnectorsDependencies": [
- "BetterMTD"
- ],
- "previewImagesFileNames": [
- "BetterMTDWorkbookPreviewWhite1.png",
- "BetterMTDWorkbookPreviewWhite2.png",
- "BetterMTDWorkbookPreviewWhite3.png",
- "BetterMTDWorkbookPreviewBlack1.png",
- "BetterMTDWorkbookPreviewBlack2.png",
- "BetterMTDWorkbookPreviewBlack3.png"
- ],
- "version": "1.1.0",
- "title": "BETTER Mobile Threat Defense (MTD)",
- "templateRelativePath": "BETTER_MTD_Workbook.json",
- "subtitle": "",
- "provider": "BETTER Mobile"
- },
- {
- "workbookKey": "AlsidIoEWorkbook",
- "logoFileName": "Alsid.svg",
- "description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Exposures alerts.",
- "dataTypesDependencies": [
- "AlsidForADLog_CL"
- ],
- "dataConnectorsDependencies": [
- "AlsidForAD"
- ],
- "previewImagesFileNames": [
- "AlsidIoEBlack1.png",
- "AlsidIoEBlack2.png",
- "AlsidIoEBlack3.png",
- "AlsidIoEWhite1.png",
- "AlsidIoEWhite2.png",
- "AlsidIoEWhite3.png"
- ],
- "version": "1.0.0",
- "title": "Alsid for AD | Indicators of Exposure",
- "templateRelativePath": "AlsidIoE.json",
- "subtitle": "",
- "provider": "Alsid"
- },
- {
- "workbookKey": "AlsidIoAWorkbook",
- "logoFileName": "Alsid.svg",
- "description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Attack alerts.",
- "dataTypesDependencies": [
- "AlsidForADLog_CL"
- ],
- "dataConnectorsDependencies": [
- "AlsidForAD"
- ],
- "previewImagesFileNames": [
- "AlsidIoABlack1.png",
- "AlsidIoABlack2.png",
- "AlsidIoABlack3.png",
- "AlsidIoAWhite1.png",
- "AlsidIoAWhite2.png",
- "AlsidIoAWhite3.png"
- ],
- "version": "1.0.0",
- "title": "Alsid for AD | Indicators of Attack",
- "templateRelativePath": "AlsidIoA.json",
- "subtitle": "",
- "provider": "Alsid"
- },
- {
- "workbookKey": "InvestigationInsightsWorkbook",
- "logoFileName": "Microsoft_logo.svg",
- "description": "Help analysts gain insight into incident, bookmark and entity data through the Investigation Insights Workbook. This workbook provides common queries and detailed visualizations to help an analyst investigate suspicious activities quickly with an easy to use interface. Analysts can start their investigation from a Microsoft Sentinel incident, bookmark, or by simply entering the entity data into the workbook manually.",
- "dataTypesDependencies": [
- "AuditLogs",
- "AzureActivity",
- "CommonSecurityLog",
- "OfficeActivity",
- "SecurityEvent",
- "SigninLogs",
- "ThreatIntelligenceIndicator"
- ],
- "dataConnectorsDependencies": [
- "AzureActivity",
- "SecurityEvents",
- "Office365",
- "AzureActiveDirectory",
- "ThreatIntelligence",
- "ThreatIntelligenceTaxii",
- "WindowsSecurityEvents"
- ],
- "previewImagesFileNames": [
- "InvestigationInsightsWhite1.png",
- "InvestigationInsightsBlack1.png",
- "InvestigationInsightsWhite2.png",
- "InvestigationInsightsBlack2.png"
- ],
- "version": "1.4.0",
- "title": "Investigation Insights",
- "templateRelativePath": "InvestigationInsights.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "AksSecurityWorkbook",
- "logoFileName": "Kubernetes_services.svg",
- "description": "See insights about the security of your AKS clusters. The workbook helps to identify sensitive operations in the clusters and get insights based on Azure Defender alerts.",
- "dataTypesDependencies": [
- "SecurityAlert",
- "AzureDiagnostics"
- ],
- "dataConnectorsDependencies": [
- "AzureSecurityCenter",
- "AzureKubernetes"
- ],
- "previewImagesFileNames": [
- "AksSecurityWhite.png",
- "AksSecurityBlack.png"
- ],
- "version": "1.5.0",
- "title": "Azure Kubernetes Service (AKS) Security",
- "templateRelativePath": "AksSecurity.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureKeyVaultWorkbook",
- "logoFileName": "KeyVault.svg",
- "description": "See insights about the security of your Azure key vaults. The workbook helps to identify sensitive operations in the key vaults and get insights based on Azure Defender alerts.",
- "dataTypesDependencies": [
- "SecurityAlert",
- "AzureDiagnostics"
- ],
- "dataConnectorsDependencies": [
- "AzureSecurityCenter",
- "AzureKeyVault"
- ],
- "previewImagesFileNames": [
- "AkvSecurityWhite.png",
- "AkvSecurityBlack.png"
- ],
- "version": "1.1.0",
- "title": "Azure Key Vault Security",
- "templateRelativePath": "AzureKeyVaultWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "IncidentOverview",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "The Incident Overview workbook is designed to assist in triaging and investigation by providing in-depth information about the incident, including:\r\n* General information\r\n* Entity data\r\n* Triage time (time between incident creation and first response)\r\n* Mitigation time (time between incident creation and closing)\r\n* Comments\r\n\r\nCustomize this workbook by saving and editing it. \r\nYou can reach this workbook template from the incidents panel as well. Once you have customized it, the link from the incident panel will open the customized workbook instead of the template.\r\n",
- "dataTypesDependencies": [
- "SecurityAlert",
- "SecurityIncident"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "IncidentOverviewBlack1.png",
- "IncidentOverviewWhite1.png",
- "IncidentOverviewBlack2.png",
- "IncidentOverviewWhite2.png"
- ],
- "version": "2.1.0",
- "title": "Incident overview",
- "templateRelativePath": "IncidentOverview.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "SecurityOperationsEfficiency",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Security operations center managers can view overall efficiency metrics and measures regarding the performance of their team. They can find operations by multiple indicators over time including severity, MITRE tactics, mean time to triage, mean time to resolve and more. The SOC manager can develop a picture of the performance in both general and specific areas over time and use it to improve efficiency.",
- "dataTypesDependencies": [
- "SecurityAlert",
- "SecurityIncident"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "SecurityEfficiencyWhite1.png",
- "SecurityEfficiencyWhite2.png",
- "SecurityEfficiencyBlack1.png",
- "SecurityEfficiencyBlack2.png"
- ],
- "version": "1.5.0",
- "title": "Security Operations Efficiency",
- "templateRelativePath": "SecurityOperationsEfficiency.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "DataCollectionHealthMonitoring",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Gain insights into your workspace's data ingestion status. In this workbook, you can view additional monitors and detect anomalies that will help you determine your workspace\u2019s data collection health.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "HealthMonitoringWhite1.png",
- "HealthMonitoringWhite2.png",
- "HealthMonitoringWhite3.png",
- "HealthMonitoringBlack1.png",
- "HealthMonitoringBlack2.png",
- "HealthMonitoringBlack3.png"
- ],
- "version": "1.0.0",
- "title": "Data collection health monitoring",
- "templateRelativePath": "DataCollectionHealthMonitoring.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "OnapsisAlarmsWorkbook",
- "logoFileName": "onapsis_logo.svg",
- "description": "Gain insights into what is going on in your SAP Systems with this overview of the alarms triggered in the Onapsis Platform. Incidents are enriched with context and next steps to help your Security team respond effectively.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "OnapsisPlatform"
- ],
- "previewImagesFileNames": [
- "OnapsisWhite1.PNG",
- "OnapsisBlack1.PNG",
- "OnapsisWhite2.PNG",
- "OnapsisBlack2.PNG"
- ],
- "version": "1.0.0",
- "title": "Onapsis Alarms Overview",
- "templateRelativePath": "OnapsisAlarmsOverview.json",
- "subtitle": "",
- "provider": "Onapsis"
- },
- {
- "workbookKey": "DelineaWorkbook",
- "logoFileName": "DelineaLogo.svg",
- "description": "The Delinea Secret Server Syslog connector",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "DelineaSecretServer_CEF"
- ],
- "previewImagesFileNames": [
- "DelineaWorkbookWhite.PNG",
- "DelineaWorkbookBlack.PNG"
- ],
- "version": "1.0.0",
- "title": "Delinea Secret Server Workbook",
- "templateRelativePath": "DelineaWorkbook.json",
- "subtitle": "",
- "provider": "Delinea"
- },
- {
- "workbookKey": "ForcepointCloudSecurityGatewayWorkbook",
- "logoFileName": "Forcepoint_new_logo.svg",
- "description": "Use this report to understand query runs across your workspace.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "ForcepointCSG"
- ],
- "previewImagesFileNames": [
- "ForcepointCloudSecurityGatewayWhite.png",
- "ForcepointCloudSecurityGatewayBlack.png"
- ],
- "version": "1.0.0",
- "title": "Forcepoint Cloud Security Gateway Workbook",
- "templateRelativePath": "ForcepointCloudSecuirtyGatewayworkbook.json",
- "subtitle": "",
- "provider": "Forcepoint"
- },
- {
- "workbookKey": "IntsightsIOCWorkbook",
- "logoFileName": "IntSights_logo.svg",
- "description": "This Microsoft Sentinel workbook provides an overview of Indicators of Compromise (IOCs) and their correlations allowing users to analyze and visualize indicators based on severity, type, and other parameters.",
- "dataTypesDependencies": [
- "ThreatIntelligenceIndicator",
- "SecurityAlert"
- ],
- "dataConnectorsDependencies": [
- "ThreatIntelligenceTaxii"
- ],
- "previewImagesFileNames": [
- "IntsightsIOCWhite.png",
- "IntsightsMatchedWhite.png",
- "IntsightsMatchedBlack.png",
- "IntsightsIOCBlack.png"
- ],
- "version": "2.0.0",
- "title": "IntSights IOC Workbook",
- "templateRelativePath": "IntsightsIOCWorkbook.json",
- "subtitle": "",
- "provider": "IntSights Cyber Intelligence"
- },
- {
- "workbookKey": "DarktraceSummaryWorkbook",
- "logoFileName": "Darktrace.svg",
- "description": "A workbook containing relevant KQL queries to help you visualise the data in model breaches from the Darktrace Connector",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "Darktrace"
- ],
- "previewImagesFileNames": [
- "AIA-DarktraceSummaryWhite.png",
- "AIA-DarktraceSummaryBlack.png"
- ],
- "version": "1.1.0",
- "title": "AI Analyst Darktrace Model Breach Summary",
- "templateRelativePath": "AIA-Darktrace.json",
- "subtitle": "",
- "provider": "Darktrace"
- },
- {
- "workbookKey": "TrendMicroXDR",
- "logoFileName": "trendmicro_logo.svg",
- "description": "Gain insights from Trend Vision One with this overview of the Alerts triggered.",
- "dataTypesDependencies": [
- "TrendMicro_XDR_WORKBENCH_CL"
- ],
- "dataConnectorsDependencies": [
- "TrendMicroXDR"
- ],
- "previewImagesFileNames": [
- "TrendMicroXDROverviewWhite.png",
- "TrendMicroXDROverviewBlack.png"
- ],
- "version": "1.3.0",
- "title": "Trend Vision One Alert Overview",
- "templateRelativePath": "TrendMicroXDROverview.json",
- "subtitle": "",
- "provider": "Trend Micro"
- },
- {
- "workbookKey": "CyberpionOverviewWorkbook",
- "logoFileName": "cyberpion_logo.svg",
- "description": "Use Cyberpion's Security Logs and this workbook, to get an overview of your online assets, gain insights into their current state, and find ways to better secure your ecosystem.",
- "dataTypesDependencies": [
- "CyberpionActionItems_CL"
- ],
- "dataConnectorsDependencies": [
- "CyberpionSecurityLogs"
- ],
- "previewImagesFileNames": [
- "CyberpionActionItemsBlack.png",
- "CyberpionActionItemsWhite.png"
- ],
- "version": "1.0.0",
- "title": "Cyberpion Overview",
- "templateRelativePath": "CyberpionOverviewWorkbook.json",
- "subtitle": "",
- "provider": "Cyberpion"
- },
- {
- "workbookKey": "SolarWindsPostCompromiseHuntingWorkbook",
- "logoFileName": "MSTIC-Logo.svg",
- "description": "This hunting workbook is intended to help identify activity related to the Solorigate compromise and subsequent attacks discovered in December 2020",
- "dataTypesDependencies": [
- "CommonSecurityLog",
- "SigninLogs",
- "AuditLogs",
- "AADServicePrincipalSignInLogs",
- "OfficeActivity",
- "BehaviorAnalytics",
- "SecurityEvent",
- "DeviceProcessEvents",
- "SecurityAlert",
- "DnsEvents"
- ],
- "dataConnectorsDependencies": [
- "AzureActiveDirectory",
- "SecurityEvents",
- "Office365",
- "MicrosoftThreatProtection",
- "DNS",
- "WindowsSecurityEvents"
- ],
- "previewImagesFileNames": [
- "SolarWindsPostCompromiseHuntingWhite.png",
- "SolarWindsPostCompromiseHuntingBlack.png"
- ],
- "version": "1.5.0",
- "title": "SolarWinds Post Compromise Hunting",
- "templateRelativePath": "SolarWindsPostCompromiseHunting.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ProofpointPODWorkbook",
- "logoFileName": "proofpointlogo.svg",
- "description": "Gain insights into your Proofpoint on Demand Email Security activities, including maillog and messages data. The Workbook provides users with an executive dashboard showing the reporting capabilities, message traceability and monitoring.",
- "dataTypesDependencies": [
- "ProofpointPOD_maillog_CL",
- "ProofpointPOD_message_CL"
- ],
- "dataConnectorsDependencies": [
- "ProofpointPOD"
- ],
- "previewImagesFileNames": [
- "ProofpointPODMainBlack1.png",
- "ProofpointPODMainBlack2.png",
- "ProofpointPODMainWhite1.png",
- "ProofpointPODMainWhite2.png",
- "ProofpointPODMessageSummaryBlack.png",
- "ProofpointPODMessageSummaryWhite.png",
- "ProofpointPODTLSBlack.png",
- "ProofpointPODTLSWhite.png"
- ],
- "version": "1.0.0",
- "title": "Proofpoint On-Demand Email Security",
- "templateRelativePath": "ProofpointPOD.json",
- "subtitle": "",
- "provider": "Proofpoint"
- },
- {
- "workbookKey": "CiscoUmbrellaWorkbook",
- "logoFileName": "cisco_logo.svg",
- "description": "Gain insights into Cisco Umbrella activities, including the DNS, Proxy and Cloud Firewall data. Workbook shows general information along with threat landscape including categories, blocked destinations and URLs.",
- "dataTypesDependencies": [
- "Cisco_Umbrella_dns_CL",
- "Cisco_Umbrella_proxy_CL",
- "Cisco_Umbrella_ip_CL",
- "Cisco_Umbrella_cloudfirewall_CL"
- ],
- "dataConnectorsDependencies": [
- "CiscoUmbrellaDataConnector"
- ],
- "previewImagesFileNames": [
- "CiscoUmbrellaDNSBlack1.png",
- "CiscoUmbrellaDNSBlack2.png",
- "CiscoUmbrellaDNSWhite1.png",
- "CiscoUmbrellaDNSWhite2.png",
- "CiscoUmbrellaFirewallBlack.png",
- "CiscoUmbrellaFirewallWhite.png",
- "CiscoUmbrellaMainBlack1.png",
- "CiscoUmbrellaMainBlack2.png",
- "CiscoUmbrellaMainWhite1.png",
- "CiscoUmbrellaMainWhite2.png",
- "CiscoUmbrellaProxyBlack1.png",
- "CiscoUmbrellaProxyBlack2.png",
- "CiscoUmbrellaProxyWhite1.png",
- "CiscoUmbrellaProxyWhite2.png"
- ],
- "version": "1.0.0",
- "title": "Cisco Umbrella",
- "templateRelativePath": "CiscoUmbrella.json",
- "subtitle": "",
- "provider": "Cisco"
- },
- {
- "workbookKey": "AnalyticsEfficiencyWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Gain insights into the efficacy of your analytics rules. In this workbook you can analyze and monitor the analytics rules found in your workspace to achieve better performance by your SOC.",
- "dataTypesDependencies": [
- "SecurityAlert",
- "SecurityIncident"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "AnalyticsEfficiencyBlack.png",
- "AnalyticsEfficiencyWhite.png"
- ],
- "version": "1.2.0",
- "title": "Analytics Efficiency",
- "templateRelativePath": "AnalyticsEfficiency.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "WorkspaceUsage",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Gain insights into your workspace's usage. In this workbook, you can view your workspace\u2019s data consumption, latency, recommended tasks and Cost and Usage statistics.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "WorkspaceUsageBlack.png",
- "WorkspaceUsageWhite.png"
- ],
- "version": "1.6.0",
- "title": "Workspace Usage Report",
- "templateRelativePath": "WorkspaceUsage.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "SentinelCentral",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Use this report to view Incident (and Alert data) across many workspaces, this works with Azure Lighthouse and across any subscription you have access to.",
- "dataTypesDependencies": [
- "SecurityIncident"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "SentinelCentralBlack.png",
- "SentinelCentralWhite.png"
- ],
- "version": "2.1.1",
- "title": "Microsoft Sentinel Central",
- "templateRelativePath": "SentinelCentral.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "CognniIncidentsWorkbook",
- "logoFileName": "cognni-logo.svg",
- "description": "Gain intelligent insights into the risks to your important financial, legal, HR, and governance information. This workbook lets you monitor your at-risk information to determine when and why incidents occurred, as well as who was involved. These incidents are broken into high, medium, and low risk incidents for each information category.",
- "dataTypesDependencies": [
- "CognniIncidents_CL"
- ],
- "dataConnectorsDependencies": [
- "CognniSentinelDataConnector"
- ],
- "previewImagesFileNames": [
- "CognniBlack.PNG",
- "CognniWhite.PNG"
- ],
- "version": "1.0.0",
- "title": "Cognni Important Information Incidents",
- "templateRelativePath": "CognniIncidentsWorkbook.json",
- "subtitle": "",
- "provider": "Cognni"
- },
- {
- "workbookKey": "pfsense",
- "logoFileName": "pfsense_logo.svg",
- "description": "Gain insights into pfsense logs from both filterlog and nginx.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "pfsenseBlack.png",
- "pfsenseWhite.png"
- ],
- "version": "1.0.0",
- "title": "pfsense",
- "templateRelativePath": "pfsense.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
- },
- {
- "workbookKey": "ExchangeCompromiseHunting",
- "logoFileName": "MSTIC-Logo.svg",
- "description": "This workbook is intended to help defenders in responding to the Exchange Server vulnerabilities disclosed in March 2021, as well as hunting for potential compromise activity. More details on these vulnearbilities can be found at: https://aka.ms/exchangevulns",
- "dataTypesDependencies": [
- "SecurityEvent",
- "W3CIISLog"
- ],
- "dataConnectorsDependencies": [
- "SecurityEvents",
- "AzureMonitor(IIS)",
- "WindowsSecurityEvents"
- ],
- "previewImagesFileNames": [
- "ExchangeBlack.png",
- "ExchangeWhite.png"
- ],
- "version": "1.0.0",
- "title": "Exchange Compromise Hunting",
- "templateRelativePath": "ExchangeCompromiseHunting.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "SOCProcessFramework",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "SOCProcessFrameworkCoverImage1White.png",
- "SOCProcessFrameworkCoverImage1Black.png",
- "SOCProcessFrameworkCoverImage2White.png",
- "SOCProcessFrameworkCoverImage2Black.png"
- ],
- "version": "1.1.0",
- "title": "SOC Process Framework",
- "templateRelativePath": "SOCProcessFramework.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "Building_a_SOCLargeStaffWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "SOCProcessFrameworkCoverImage1White.png",
- "SOCProcessFrameworkCoverImage1Black.png",
- "SOCProcessFrameworkCoverImage2White.png",
- "SOCProcessFrameworkCoverImage2Black.png"
- ],
- "version": "1.1.0",
- "title": "SOC Large Staff",
- "templateRelativePath": "Building_a_SOCLargeStaff.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "Building_a_SOCMediumStaffWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "SOCProcessFrameworkCoverImage1White.png",
- "SOCProcessFrameworkCoverImage1Black.png",
- "SOCProcessFrameworkCoverImage2White.png",
- "SOCProcessFrameworkCoverImage2Black.png"
- ],
- "version": "1.1.0",
- "title": "SOC Medium Staff",
- "templateRelativePath": "Building_a_SOCMediumStaff.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "Building_a_SOCPartTimeStaffWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "SOCProcessFrameworkCoverImage1White.png",
- "SOCProcessFrameworkCoverImage1Black.png",
- "SOCProcessFrameworkCoverImage2White.png",
- "SOCProcessFrameworkCoverImage2Black.png"
- ],
- "version": "1.1.0",
- "title": "SOC Part Time Staff",
- "templateRelativePath": "Building_a_SOCPartTimeStaff.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "Building_a_SOCSmallStaffWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "SOCProcessFrameworkCoverImage1White.png",
- "SOCProcessFrameworkCoverImage1Black.png",
- "SOCProcessFrameworkCoverImage2White.png",
- "SOCProcessFrameworkCoverImage2Black.png"
- ],
- "version": "1.1.0",
- "title": "SOC Small Staff",
- "templateRelativePath": "Building_a_SOCSmallStaff.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "SOCIRPlanningWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "SOCProcessFrameworkCoverImage1White.png",
- "SOCProcessFrameworkCoverImage1Black.png",
- "SOCProcessFrameworkCoverImage2White.png",
- "SOCProcessFrameworkCoverImage2Black.png"
- ],
- "version": "1.1.0",
- "title": "SOC IR Planning",
- "templateRelativePath": "SOCIRPlanning.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "UpdateSOCMaturityScoreWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "SOCProcessFrameworkCoverImage1White.png",
- "SOCProcessFrameworkCoverImage1Black.png",
- "SOCProcessFrameworkCoverImage2White.png",
- "SOCProcessFrameworkCoverImage2Black.png"
- ],
- "version": "1.1.0",
- "title": "Update SOC Maturity Score",
- "templateRelativePath": "UpdateSOCMaturityScore.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "Microsoft365SecurityPosture",
- "logoFileName": "M365securityposturelogo.svg",
- "description": "This workbook presents security posture data collected from Azure Security Center, M365 Defender, Defender for Endpoint, and Microsoft Cloud App Security. This workbook relies on the M365 Security Posture Playbook in order to bring the data in.",
- "dataTypesDependencies": [
- "M365SecureScore_CL",
- "MDfESecureScore_CL",
- "MDfEExposureScore_CL",
- "MDfERecommendations_CL",
- "MDfEVulnerabilitiesList_CL",
- "McasShadowItReporting"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "M365securitypostureblack.png",
- "M365securityposturewhite.png"
- ],
- "version": "1.0.0",
- "title": "Microsoft 365 Security Posture",
- "templateRelativePath": "M365SecurityPosture.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "AzureSentinelCost",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This workbook provides an estimated cost across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer.",
- "dataTypesDependencies": [
- "Usage"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "AzureSentinelCostWhite.png",
- "AzureSentinelCostBlack.png"
- ],
- "version": "1.5.1",
- "title": "Microsoft Sentinel Cost",
- "templateRelativePath": "AzureSentinelCost.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "ADXvsLA",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This workbook shows the tables from Microsoft Sentinel which are backed up in ADX. It also provides a comparison between the entries in the Microsoft Sentinel tables and the ADX tables. Lastly some general information about the queries and ingestion on ADX is shown.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "ADXvsLABlack.PNG",
- "ADXvsLAWhite.PNG"
- ],
- "version": "1.0.0",
- "title": "ADXvsLA",
- "templateRelativePath": "ADXvsLA.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "ProofPointThreatDashboard",
- "logoFileName": "",
- "description": "Provides an overview of email threat activity based on log data provided by ProofPoint",
- "dataTypesDependencies": [
- "ProofpointPOD_message_CL",
- "ProofpointPOD_maillog_CL",
- "ProofPointTAPClicksBlocked_CL",
- "ProofPointTAPClicksPermitted_CL",
- "ProofPointTAPMessagesBlocked_CL",
- "ProofPointTAPMessagesDelivered_CL"
- ],
- "dataConnectorsDependencies": [
- "ProofpointTAP",
- "ProofpointPOD"
- ],
- "previewImagesFileNames": [
- "ProofPointThreatDashboardBlack1.png",
- "ProofPointThreatDashboardWhite1.png"
- ],
- "version": "1.0.0",
- "title": "ProofPoint Threat Dashboard",
- "templateRelativePath": "ProofPointThreatDashboard.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "AMAmigrationTracker",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "See what Azure and Azure Arc servers have Log Analytics agent or Azure Monitor agent installed. Review what DCR (data collection rules) apply to your machines and whether you are collecting logs from those machines into your selected workspaces.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "AMAtrackingWhite1.png",
- "AMAtrackingWhite2.png",
- "AMAtrackingWhite3.png",
- "AMAtrackingBlack1.png",
- "AMAtrackingBlack2.png",
- "AMAtrackingBlack3.png"
- ],
- "version": "1.1.0",
- "title": "AMA migration tracker",
- "templateRelativePath": "AMAmigrationTracker.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "AdvancedKQL",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This interactive Workbook is designed to improve your KQL proficiency by using a use-case driven approach.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "AdvancedKQLWhite.png",
- "AdvancedKQLBlack.png"
- ],
- "version": "1.3.0",
- "title": "Advanced KQL for Microsoft Sentinel",
- "templateRelativePath": "AdvancedKQL.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "DSTIMWorkbook",
- "logoFileName": "DSTIM.svg",
- "description": "Identify sensitive data blast radius (i.e., who accessed sensitive data, what kinds of sensitive data, from where and when) in a given data security incident investigation or as part of Threat Hunting. Prioritize your investigation based on insights provided with integrations with Watchlists(VIPUsers, TerminatedEmployees and HighValueAssets), Threat Intelligence feed, UEBA baselines and much more.",
- "dataTypesDependencies": [
- "DSMAzureBlobStorageLogs",
- "DSMDataClassificationLogs",
- "DSMDataLabelingLogs",
- "Anomalies",
- "ThreatIntelligenceIndicator",
- "AADManagedIdentitySignInLogs",
- "SecurityAlert",
- "SigninLogs"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "DSTIMWorkbookBlack.png",
- "DSTIMWorkbookWhite.png"
- ],
- "version": "1.9.0",
- "title": "Data Security - Sensitive Data Impact Assessment",
- "templateRelativePath": "DSTIMWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft",
- "featureFlag": "DSTIMWorkbook"
- },
- {
- "workbookKey": "IntrotoKQLWorkbook",
- "logoFileName": "",
- "description": "Learn and practice the Kusto Query Language. This workbook introduces and provides 100 to 200 level content for new and existing users looking to learn KQL. This workbook will be updated with content over time.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "IntrotoKQL-black.png",
- "IntrotoKQL-white.png"
- ],
- "version": "1.0.0",
- "title": "Intro to KQL",
- "templateRelativePath": "IntrotoKQL.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "Log4jPostCompromiseHuntingWorkbook",
- "logoFileName": "",
- "description": "This hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021.",
- "dataTypesDependencies": [
- "SecurityNestedRecommendation",
- "AzureDiagnostics",
- "OfficeActivity",
- "W3CIISLog",
- "AWSCloudTrail",
- "SigninLogs",
- "AADNonInteractiveUserSignInLogs",
- "imWebSessions",
- "imNetworkSession"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "Log4jPostCompromiseHuntingBlack.png",
- "Log4jPostCompromiseHuntingWhite.png"
- ],
- "version": "1.0.0",
- "title": "Log4j Post Compromise Hunting",
- "templateRelativePath": "Log4jPostCompromiseHunting.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "Log4jImpactAssessmentWorkbook",
- "logoFileName": "",
- "description": "This hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021.",
- "dataTypesDependencies": [
- "SecurityIncident",
- "SecurityAlert",
- "AzureSecurityCenter",
- "MDfESecureScore_CL",
- "MDfEExposureScore_CL",
- "MDfERecommendations_CL",
- "MDfEVulnerabilitiesList_CL"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Log4j Impact Assessment",
- "templateRelativePath": "Log4jImpactAssessment.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "UserMap",
- "logoFileName": "",
- "description": "This Workbook shows MaliciousIP, User SigninLog Data (this shows user Signin Locations and distance between as well as order visited) and WAF information.",
- "dataTypesDependencies": [
- "SigninLogs",
- "AzureDiagnostics",
- "WireData",
- "VMconnection",
- "CommonSecurityLog",
- "WindowsFirewall",
- "W3CIISLog",
- "DnsEvents"
- ],
- "dataConnectorsDependencies": [
- "AzureActiveDirectory"
- ],
- "previewImagesFileNames": [
- "UserMapBlack.png",
- "UserMapWhite.png"
- ],
- "version": "1.0.0",
- "title": "User Map information",
- "templateRelativePath": "UserMap.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "AWSS3",
- "logoFileName": "",
- "description": ".",
- "dataTypesDependencies": [
- "AWSCloudTrail",
- "AWSGuardDuty",
- "AWSVPCFlow"
- ],
- "dataConnectorsDependencies": [
- "AWSS3"
- ],
- "previewImagesFileNames": [
- "AWSS3Black.png",
- "AWSS3White.png",
- "AWSS3White1.png"
- ],
- "version": "1.0.0",
- "title": "AWS S3 Workbook",
- "templateRelativePath": "AWSS3.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "LogSourcesAndAnalyticRulesCoverageWorkbook",
- "logoFileName": "",
- "description": "This workbook is intended to show how the different tables in a Log Analytics workspace are being used by the different Microsoft Sentinel features, like analytics, hunting queries, playbooks and queries in general.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "LogSourcesAndAnalyticRulesCoverageBlack.png",
- "LogSourcesAndAnalyticRulesCoverageWhite.png"
- ],
- "version": "1.1.0",
- "title": "Log Sources & Analytic Rules Coverage",
- "templateRelativePath": "LogSourcesAndAnalyticRulesCoverage.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "CiscoFirepower",
- "logoFileName": "",
- "description": "Gain insights into your Cisco Firepower firewalls. This workbook analyzes Cisco Firepower device logs.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "CiscoFirepowerBlack.png",
- "CiscoFirepowerWhite.png"
- ],
- "version": "1.0.0",
- "title": "Cisco Firepower",
- "templateRelativePath": "CiscoFirepower.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "MicrorosftTeams",
- "logoFileName": "microsoftteams.svg",
- "description": "This workbook is intended to identify the activities on Microrsoft Teams.",
- "dataTypesDependencies": [
- "OfficeActivity"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "MicrosoftTeamsBlack.png",
- "MicrosoftTeamsWhite.png"
- ],
- "version": "1.0.0",
- "title": "Microsoft Teams",
- "templateRelativePath": "MicrosoftTeams.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "ArchivingBasicLogsRetention",
- "logoFileName": "ArchivingBasicLogsRetention.svg",
- "description": "This workbooks shows workspace and table retention periods, basic logs, and search & restore tables. It also allows you to update table retention periods, plans, and delete search or restore tables.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "ArchivingBasicLogsRetentionBlack1.png",
- "ArchivingBasicLogsRetentionWhite1.png"
- ],
- "version": "1.1.0",
- "title": "Archiving, Basic Logs, and Retention",
- "templateRelativePath": "ArchivingBasicLogsRetention.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "OktaSingleSignOnWorkbook",
- "logoFileName": "okta_logo.svg",
- "description": "Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked",
- "dataTypesDependencies": [
- "Okta_CL"
- ],
- "dataConnectorsDependencies": [
- "OktaSSO"
- ],
- "previewImagesFileNames": [
- "OktaSingleSignOnWhite.png",
- "OktaSingleSignOnBlack.png"
- ],
- "version": "1.2",
- "title": "Okta Single Sign-On",
- "templateRelativePath": "OktaSingleSignOn.json",
- "subtitle": "",
- "provider": "Okta"
- },
- {
- "workbookKey": "Dynamics365Workbooks",
- "logoFileName": "DynamicsLogo.svg",
- "description": "This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data.",
- "dataTypesDependencies": [
- "Dynamics365Activity"
- ],
- "dataConnectorsDependencies": [
- "Dynamics365"
- ],
- "previewImagesFileNames": [
- "Dynamics365WorkbookBlack.png",
- "Dynamics365WorkbookWhite.png"
- ],
- "version": "1.0.3",
- "title": "Dynamics365Workbooks",
- "templateRelativePath": "Dynamics365Workbooks.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "CiscoMerakiWorkbook",
- "logoFileName": "",
- "description": "Gain insights into the Events from Cisco Meraki Solution and analyzing all the different types of Security Events. This workbook also helps in identifying the Events from affected devices, IPs and the nodes where malware was successfully detected.\nIP data received in Events is correlated with Threat Intelligence to identify if the reported IP address is known bad based on threat intelligence data.",
- "dataTypesDependencies": [
- "meraki_CL",
- "CiscoMerakiNativePoller",
- "ThreatIntelligenceIndicator"
- ],
- "dataConnectorsDependencies": [
- "CiscoMeraki",
- "CiscoMerakiNativePolling",
- "ThreatIntelligence"
- ],
- "previewImagesFileNames": [
- "CiscoMerakiWorkbookWhite.png",
- "CiscoMerakiWorkbookBlack.png"
- ],
- "version": "1.0.0",
- "title": "CiscoMerakiWorkbook",
- "templateRelativePath": "CiscoMerakiWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "SentinelOneWorkbook",
- "logoFileName": "",
- "description": "Sets the time name for analysis.",
- "dataTypesDependencies": [
- "SentinelOne_CL"
- ],
- "dataConnectorsDependencies": [
- "SentinelOne"
- ],
- "previewImagesFileNames": [
- "SentinelOneBlack.png",
- "SentinelOneWhite.png"
- ],
- "version": "1.0.0",
- "title": "SentinelOneWorkbook",
- "templateRelativePath": "SentinelOne.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "TrendMicroApexOneWorkbook",
- "logoFileName": "trendmicro_logo.svg",
- "description": "Sets the time name for analysis.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "TrendMicroApexOne"
- ],
- "previewImagesFileNames": [
- "TrendMicroApexOneBlack.png",
- "TrendMicroApexOneWhite.png"
- ],
- "version": "1.0.0",
- "title": "Trend Micro Apex One",
- "templateRelativePath": "TrendMicroApexOne.json",
- "subtitle": "",
- "provider": "TrendMicro"
- },
- {
- "workbookKey": "ContrastProtect",
- "logoFileName": "contrastsecurity_logo.svg",
- "description": "Select the time range for this Overview.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "ContrastProtect"
- ],
- "previewImagesFileNames": [
- "ContrastProtectAllBlack.png",
- "ContrastProtectAllWhite.png",
- "ContrastProtectEffectiveBlack.png",
- "ContrastProtectEffectiveWhite.png",
- "ContrastProtectSummaryBlack.png",
- "ContrastProtectSummaryWhite.png"
- ],
- "version": "1.0.0",
- "title": "Contrast Protect",
- "templateRelativePath": "ContrastProtect.json",
- "subtitle": "",
- "provider": "contrast security"
- },
- {
- "workbookKey": "ArmorbloxOverview",
- "logoFileName": "armorblox.svg",
- "description": "INCIDENTS FROM SELECTED TIME RANGE",
- "dataTypesDependencies": [
- "Armorblox_CL"
- ],
- "dataConnectorsDependencies": [
- "Armorblox"
- ],
- "previewImagesFileNames": [
- "ArmorbloxOverviewBlack01.png",
- "ArmorbloxOverviewBlack02.png",
- "ArmorbloxOverviewWhite01.png",
- "ArmorbloxOverviewWhite02.png"
- ],
- "version": "1.0.0",
- "title": "Armorblox",
- "templateRelativePath": "ArmorbloxOverview.json",
- "subtitle": "",
- "provider": "Armorblox"
- },
- {
- "workbookKey": "PaloAltoCDL",
- "logoFileName": "paloalto_logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "PaloAltoCDL"
- ],
- "previewImagesFileNames": [
- "PaloAltoBlack.png",
- "PaloAltoWhite.png"
- ],
- "version": "1.0.0",
- "title": "Palo Alto Networks Cortex Data Lake",
- "templateRelativePath": "PaloAltoCDL.json",
- "subtitle": "",
- "provider": "Palo Alto Networks"
- },
- {
- "workbookKey": "VMwareCarbonBlack",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "CarbonBlackEvents_CL",
- "CarbonBlackAuditLogs_CL",
- "CarbonBlackNotifications_CL"
- ],
- "dataConnectorsDependencies": [
- "VMwareCarbonBlack"
- ],
- "previewImagesFileNames": [
- "VMwareCarbonBlack.png",
- "VMwareCarbonWhite.png"
- ],
- "version": "1.0.0",
- "title": "VMware Carbon Black Cloud",
- "templateRelativePath": "VMwareCarbonBlack.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "arista-networks",
- "logoFileName": "AristaAwakeSecurity.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "AristaAwakeSecurity"
- ],
- "previewImagesFileNames": [
- "AristaAwakeSecurityDevicesBlack.png",
- "AristaAwakeSecurityDevicesWhite.png",
- "AristaAwakeSecurityModelsBlack.png",
- "AristaAwakeSecurityModelsWhite.png",
- "AristaAwakeSecurityOverviewBlack.png",
- "AristaAwakeSecurityOverviewWhite.png"
- ],
- "version": "1.0.0",
- "title": "Arista Awake",
- "templateRelativePath": "AristaAwakeSecurityWorkbook.json",
- "subtitle": "",
- "provider": "Arista Networks"
- },
- {
- "workbookKey": "TomcatWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "Tomcat_CL"
- ],
- "dataConnectorsDependencies": [
- "ApacheTomcat"
- ],
- "previewImagesFileNames": [
- "TomcatBlack.png",
- "TomcatWhite.png"
- ],
- "version": "1.0.0",
- "title": "ApacheTomcat",
- "templateRelativePath": "Tomcat.json",
- "subtitle": "",
- "provider": "Apache"
- },
- {
- "workbookKey": "ClarotyWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "Claroty"
- ],
- "previewImagesFileNames": [
- "ClarotyBlack.png",
- "ClarotyWhite.png"
- ],
- "version": "1.0.0",
- "title": "Claroty",
- "templateRelativePath": "ClarotyOverview.json",
- "subtitle": "",
- "provider": "Claroty"
- },
- {
- "workbookKey": "ApacheHTTPServerWorkbook",
- "logoFileName": "apache.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "ApacheHTTPServer_CL"
- ],
- "dataConnectorsDependencies": [
- "ApacheHTTPServer"
- ],
- "previewImagesFileNames": [
- "ApacheHTTPServerOverviewBlack01.png",
- "ApacheHTTPServerOverviewBlack02.png",
- "ApacheHTTPServerOverviewWhite01.png",
- "ApacheHTTPServerOverviewWhite02.png"
- ],
- "version": "1.0.0",
- "title": "Apache HTTP Server",
- "templateRelativePath": "ApacheHTTPServer.json",
- "subtitle": "",
- "provider": "Apache Software Foundation"
- },
- {
- "workbookKey": "OCIWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "OCI_Logs_CL"
- ],
- "dataConnectorsDependencies": [
- "OracleCloudInfrastructureLogsConnector"
- ],
- "previewImagesFileNames": [
- "OCIBlack.png",
- "OCIWhite.png"
- ],
- "version": "1.0.0",
- "title": "Oracle Cloud Infrastructure",
- "templateRelativePath": "OracleCloudInfrastructureOCI.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "OracleWeblogicServerWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "OracleWebLogicServer_CL"
- ],
- "dataConnectorsDependencies": [
- "OracleWebLogicServer"
- ],
- "previewImagesFileNames": [
- "OracleWeblogicServerBlack.png",
- "OracleWeblogicServerWhite.png"
- ],
- "version": "1.0.0",
- "title": "Oracle WebLogic Server",
- "templateRelativePath": "OracleWorkbook.json",
- "subtitle": "",
- "provider": "Oracle"
- },
- {
- "workbookKey": "BitglassWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "BitglassLogs_CL"
- ],
- "dataConnectorsDependencies": [
- "Bitglass"
- ],
- "previewImagesFileNames": [
- "BitglassBlack.png",
- "BitglassWhite.png"
- ],
- "version": "1.0.0",
- "title": "Bitglass",
- "templateRelativePath": "Bitglass.json",
- "subtitle": "",
- "provider": "Bitglass"
- },
- {
- "workbookKey": "NGINXWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "NGINX_CL"
- ],
- "dataConnectorsDependencies": [
- "NGINXHTTPServer"
- ],
- "previewImagesFileNames": [
- "NGINXOverviewBlack01.png",
- "NGINXOverviewBlack02.png",
- "NGINXOverviewWhite01.png",
- "NGINXOverviewWhite02.png"
- ],
- "version": "1.0.0",
- "title": "NGINX HTTP Server",
- "templateRelativePath": "NGINX.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "vArmourAppContollerWorkbook",
- "logoFileName": "varmour-logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "vArmourAC"
- ],
- "previewImagesFileNames": [
- "vArmourAppControllerAppBlack.png",
- "vArmourAppControllerAppBlack-1.png",
- "vArmourAppControllerAppBlack-2.png",
- "vArmourAppControllerAppBlack-3.png",
- "vArmourAppControllerAppBlack-4.png",
- "vArmourAppControllerAppBlack-5.png",
- "vArmourAppControllerAppBlack-6.png",
- "vArmourAppControllerAppBlack-7.png",
- "vArmourAppControllerAppWhite.png",
- "vArmourAppControllerAppWhite-1.png",
- "vArmourAppControllerAppWhite-2.png",
- "vArmourAppControllerAppWhite-3.png",
- "vArmourAppControllerAppWhite-4.png",
- "vArmourAppControllerAppWhite-5.png",
- "vArmourAppControllerAppWhite-6.png",
- "vArmourAppControllerAppWhite-7.png"
- ],
- "version": "1.0.0",
- "title": "vArmour Application Controller",
- "templateRelativePath": "vArmour_AppContoller_Workbook.json",
- "subtitle": "",
- "provider": "vArmour"
- },
- {
- "workbookKey": "CorelightWorkbook",
- "logoFileName": "corelight.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "Corelight_CL"
- ],
- "dataConnectorsDependencies": [
- "Corelight"
- ],
- "previewImagesFileNames": [
- "CorelightConnectionsBlack1.png",
- "CorelightConnectionsBlack2.png",
- "CorelightConnectionsWhite1.png",
- "CorelightConnectionsWhite2.png",
- "CorelightDNSBlack1.png",
- "CorelightDNSWhite1.png",
- "CorelightFileBlack1.png",
- "CorelightFileBlack2.png",
- "CorelightFileWhite1.png",
- "CorelightFileWhite2.png",
- "CorelightMainBlack1.png",
- "CorelightMainWhite1.png",
- "CorelightSoftwareBlack1.png",
- "CorelightSoftwareWhite1.png"
- ],
- "version": "1.0.0",
- "title": "Corelight",
- "templateRelativePath": "Corelight.json",
- "subtitle": "",
- "provider": "Corelight"
- },
- {
- "workbookKey": "LookoutEvents",
- "logoFileName": "lookout.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "Lookout_CL"
- ],
- "dataConnectorsDependencies": [
- "LookoutAPI"
- ],
- "previewImagesFileNames": [
- "SampleLookoutWorkBookBlack.png",
- "SampleLookoutWorkBookWhite.png"
- ],
- "version": "1.0.0",
- "title": "Lookout",
- "templateRelativePath": "LookoutEvents.json",
- "subtitle": "",
- "provider": "Lookout"
- },
- {
- "workbookKey": "sentinel-MicrosoftPurview",
- "logoFileName": "MicrosoftPurview.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "AzureDiagnostics"
- ],
- "dataConnectorsDependencies": [
- "MicrosoftAzurePurview"
- ],
- "previewImagesFileNames": [
- ""
- ],
- "version": "1.0.0",
- "title": "Microsoft Purview",
- "templateRelativePath": "MicrosoftPurview.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "InfobloxCDCB1TDWorkbook",
- "logoFileName": "infoblox_logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "InfobloxCloudDataConnector"
- ],
- "previewImagesFileNames": [
- "InfobloxCDCB1TDBlack.png",
- "InfobloxCDCB1TDWhite.png"
- ],
- "version": "1.0.0",
- "title": "Infoblox Cloud Data Connector",
- "templateRelativePath": "InfobloxCDCB1TDWorkbook.json",
- "subtitle": "",
- "provider": "InfoBlox"
- },
- {
- "workbookKey": "UbiquitiUniFiWorkbook",
- "logoFileName": "ubiquiti.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "Ubiquiti_CL"
- ],
- "dataConnectorsDependencies": [
- "UbiquitiUnifi"
- ],
- "previewImagesFileNames": [
- "UbiquitiOverviewBlack01.png",
- "UbiquitiOverviewBlack02.png",
- "UbiquitiOverviewWhite01.png",
- "UbiquitiOverviewWhite02.png"
- ],
- "version": "1.0.0",
- "title": "Ubiquiti UniFi",
- "templateRelativePath": "Ubiquiti.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "VMwareESXiWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "Syslog"
- ],
- "dataConnectorsDependencies": [
- "VMwareESXi"
- ],
- "previewImagesFileNames": [
- "VMWareESXiBlack.png",
- "VMWareESXiWhite.png"
- ],
- "version": "1.0.0",
- "title": "VMware ESXi",
- "templateRelativePath": "VMWareESXi.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "SnowflakeWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "Snowflake_CL"
- ],
- "dataConnectorsDependencies": [
- "SnowflakeDataConnector"
- ],
- "previewImagesFileNames": [
- "SnowflakeBlack.png",
- "SnowflakeWhite.png"
- ],
- "version": "1.0.0",
- "title": "Snowflake",
- "templateRelativePath": "Snowflake.json",
- "subtitle": "",
- "provider": "Snowflake"
- },
- {
- "workbookKey": "LastPassWorkbook",
- "logoFileName": "LastPass.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "LastPassNativePoller_CL"
- ],
- "dataConnectorsDependencies": [
- "LastPassAPIConnector"
- ],
- "previewImagesFileNames": [
- "LastPassBlack.png",
- "LastPassWhite.png"
- ],
- "version": "1.0.0",
- "title": "Lastpass Enterprise Activity Monitoring",
- "templateRelativePath": "LastPassWorkbook.json",
- "subtitle": "",
- "provider": "LastPass"
- },
- {
- "workbookKey": "SecurityBridgeWorkbook",
- "logoFileName": "SecurityBridgeLogo-Vector-TM_75x75.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "SecurityBridgeLogs"
- ],
- "dataConnectorsDependencies": [
- "SecurityBridgeSAP"
- ],
- "previewImagesFileNames": [
- "SecurityBridgeThreatDetectionWhite.png",
- "SecurityBridgeThreatDetectionWhite1.png"
- ],
- "version": "1.0.0",
- "title": "SecurityBridge App",
- "templateRelativePath": "SecurityBridgeThreatDetectionforSAP.json",
- "subtitle": "",
- "provider": "SecurityBridge"
- },
- {
- "workbookKey": "PaloAltoPrismaCloudWorkbook",
- "logoFileName": "paloalto_logo.svg",
- "description": "Sets the time name for analysis.",
- "dataTypesDependencies": [
- "PaloAltoPrismaCloudAlert_CL",
- "PaloAltoPrismaCloudAudit_CL"
- ],
- "dataConnectorsDependencies": [
- "PaloAltoPrismaCloud"
- ],
- "previewImagesFileNames": [
- "PaloAltoPrismaCloudBlack01.png",
- "PaloAltoPrismaCloudBlack02.png",
- "PaloAltoPrismaCloudWhite01.png",
- "PaloAltoPrismaCloudWhite02.png"
- ],
- "version": "1.0.0",
- "title": "Palo Alto Prisma",
- "templateRelativePath": "PaloAltoPrismaCloudOverview.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "PingFederateWorkbook",
- "logoFileName": "PingIdentity.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "PingFederateEvent"
- ],
- "dataConnectorsDependencies": [
- "PingFederate"
- ],
- "previewImagesFileNames": [
- "PingFederateBlack1.png",
- "PingFederateWhite1.png"
- ],
- "version": "1.0.0",
- "title": "PingFederate",
- "templateRelativePath": "PingFederate.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "McAfeeePOWorkbook",
- "logoFileName": "mcafee_logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "McAfeeEPOEvent"
- ],
- "dataConnectorsDependencies": [
- "McAfeeePO"
- ],
- "previewImagesFileNames": [
- "McAfeeePOBlack1.png",
- "McAfeeePOBlack2.png",
- "McAfeeePOWhite1.png",
- "McAfeeePOWhite2.png"
- ],
- "version": "1.0.0",
- "title": "McAfee ePolicy Orchestrator",
- "templateRelativePath": "McAfeeePOOverview.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "OracleDatabaseAudit",
- "logoFileName": "oracle_logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "Syslog"
- ],
- "dataConnectorsDependencies": [
- "OracleDatabaseAudit"
- ],
- "previewImagesFileNames": [
- "OracleDatabaseAuditBlack1.png",
- "OracleDatabaseAuditBlack2.png",
- "OracleDatabaseAuditWhite1.png",
- "OracleDatabaseAuditWhite2.png"
- ],
- "version": "1.0.0",
- "title": "Oracle Database Audit",
- "templateRelativePath": "OracleDatabaseAudit.json",
- "subtitle": "",
- "provider": "Oracle"
- },
- {
- "workbookKey": "SenservaProAnalyticsWorkbook",
- "logoFileName": "SenservaPro_logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "SenservaPro_CL"
- ],
- "dataConnectorsDependencies": [
- "SenservaPro"
- ],
- "previewImagesFileNames": [
- "SenservaProAnalyticsBlack.png",
- "SenservaProAnalyticsWhite.png"
- ],
- "version": "1.0.0",
- "title": "SenservaProAnalytics",
- "templateRelativePath": "SenservaProAnalyticsWorkbook.json",
- "subtitle": "",
- "provider": "Senserva Pro"
- },
- {
- "workbookKey": "SenservaProMultipleWorkspaceWorkbook",
- "logoFileName": "SenservaPro_logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "SenservaPro_CL"
- ],
- "dataConnectorsDependencies": [
- "SenservaPro"
- ],
- "previewImagesFileNames": [
- "SenservaProMultipleWorkspaceWorkbookBlack.png",
- "SenservaProMultipleWorkspaceWorkbookWhite.png"
- ],
- "version": "1.0.0",
- "title": "SenservaProMultipleWorkspace",
- "templateRelativePath": "SenservaProMultipleWorkspaceWorkbook.json",
- "subtitle": "",
- "provider": "Senserva Pro"
- },
- {
- "workbookKey": "SenservaProSecureScoreMultiTenantWorkbook",
- "logoFileName": "SenservaPro_logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "SenservaPro_CL"
- ],
- "dataConnectorsDependencies": [
- "SenservaPro"
- ],
- "previewImagesFileNames": [
- "SenservaProSecureScoreMultiTenantBlack.png",
- "SenservaProSecureScoreMultiTenantWhite.png"
- ],
- "version": "1.0.0",
- "title": "SenservaProSecureScoreMultiTenant",
- "templateRelativePath": "SenservaProSecureScoreMultiTenantWorkbook.json",
- "subtitle": "",
- "provider": "Senserva Pro"
- },
- {
- "workbookKey": "CiscoSecureEndpointOverviewWorkbook",
- "logoFileName": "cisco-logo-72px.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "CiscoSecureEndpoint"
- ],
- "dataConnectorsDependencies": [
- "CiscoSecureEndpoint"
- ],
- "previewImagesFileNames": [
- "CiscoSecureEndpointBlack.png",
- "CiscoSecureEndpointWhite.png"
- ],
- "version": "1.0.0",
- "title": "Cisco Secure Endpoint",
- "templateRelativePath": "Cisco Secure Endpoint Overview.json",
- "subtitle": "",
- "provider": "Cisco"
- },
- {
- "workbookKey": "InfoSecGlobalWorkbook",
- "logoFileName": "infosecglobal.svg",
- "description": "Sets the time name for analysis.",
- "dataTypesDependencies": [
- "InfoSecAnalytics_CL"
- ],
- "dataConnectorsDependencies": [
- "InfoSecDataConnector"
- ],
- "previewImagesFileNames": [
- "InfoSecGlobalWorkbookBlack.png",
- "InfoSecGlobalWorkbookWhite.png"
- ],
- "version": "1.0.0",
- "title": "AgileSec Analytics Connector",
- "templateRelativePath": "InfoSecGlobal.json",
- "subtitle": "",
- "provider": "InfoSecGlobal"
- },
- {
- "workbookKey": "CrowdStrikeFalconEndpointProtectionWorkbook",
- "logoFileName": "crowdstrike.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "CrowdstrikeReplicatorLogs_CL"
- ],
- "dataConnectorsDependencies": [
- "CrowdstrikeReplicator"
- ],
- "previewImagesFileNames": [
- "CrowdStrikeFalconEndpointProtectionBlack.png",
- "CrowdStrikeFalconEndpointProtectionWhite.png"
- ],
- "version": "1.0.0",
- "title": "CrowdStrike Falcon Endpoint Protection",
- "templateRelativePath": "CrowdStrikeFalconEndpointProtection.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "IronDefenseAlertDashboard",
- "logoFileName": "IronNet.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "IronNetIronDefense"
- ],
- "previewImagesFileNames": [
- "IronDefenseDashboardBlack.png",
- "IronDefenseDashboardWhit.png"
- ],
- "version": "1.0.0",
- "title": "IronDefenseAlertDashboard",
- "templateRelativePath": "IronDefenseAlertDashboard.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "IronDefenseAlertDetails",
- "logoFileName": "IronNet.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "IronNetIronDefense"
- ],
- "previewImagesFileNames": [
- "IronDefenseAlertsBlack.png",
- "IronDefenseAlertsWhite.png"
- ],
- "version": "1.0.0",
- "title": "IronDefenseAlertDetails",
- "templateRelativePath": "IronDefenseAlertDetails.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "CiscoSEGWorkbook",
- "logoFileName": "cisco-logo-72px.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "CiscoSEG"
- ],
- "previewImagesFileNames": [
- "CiscoSEGBlack.png",
- "CiscoSEGWhite.png"
- ],
- "version": "1.0.0",
- "title": "Cisco Secure Email Gateway",
- "templateRelativePath": "CiscoSEG.json",
- "subtitle": "",
- "provider": "Cisco"
- },
- {
- "workbookKey": "EatonForeseerHealthAndAccess",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This workbook gives an insight into the health of all the Windows VMs in this subscription running Eaton Foreseer and the unauthorized access into the Eaton Foreseer application running on these VMs.",
- "dataTypesDependencies": [
- "SecurityEvent"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "EatonForeseerHealthAndAccessBlack.png",
- "EatonForeseerHealthAndAccessWhite.png"
- ],
- "version": "1.0.0",
- "title": "EatonForeseerHealthAndAccess",
- "templateRelativePath": "EatonForeseerHealthAndAccess.json",
- "subtitle": "",
- "provider": "Eaton"
- },
- {
- "workbookKey": "PCIDSSComplianceWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Choose your subscription and workspace in which PCI assets are deployed",
- "dataTypesDependencies": [
- "AzureDaignostics",
- "SecurityEvent",
- "SecurityAlert",
- "OracleDatabaseAuditEvent",
- "Syslog",
- "Anomalies"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "PCIDSSComplianceBlack01.PNG",
- "PCIDSSComplianceBlack02.PNG",
- "PCIDSSComplianceWhite01.PNG",
- "PCIDSSComplianceWhite02.PNG"
- ],
- "version": "1.0.0",
- "title": "PCI DSS Compliance",
- "templateRelativePath": "PCIDSSCompliance.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "SonraiSecurityWorkbook",
- "logoFileName": "Sonrai.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "Sonrai_Tickets_CL"
- ],
- "dataConnectorsDependencies": [
- "SonraiDataConnector"
- ],
- "previewImagesFileNames": [
- "SonraiWorkbookBlack.png",
- "SonraiWorkbookWhite.png"
- ],
- "version": "1.0.0",
- "title": "Sonrai",
- "templateRelativePath": "Sonrai.json",
- "subtitle": "",
- "provider": "Sonrai"
- },
- {
- "workbookKey": "SemperisDSPWorkbook",
- "logoFileName": "Semperis.svg",
- "description": "Specify the time range on which to query the data",
- "dataTypesDependencies": [
- "dsp_parser"
- ],
- "dataConnectorsDependencies": [
- "SemperisDSP"
- ],
- "previewImagesFileNames": [
- "SemperisDSPOverview1Black.png",
- "SemperisDSPOverview1White.png",
- "SemperisDSPOverview2Black.png",
- "SemperisDSPOverview2White.png",
- "SemperisDSPOverview3Black.png",
- "SemperisDSPOverview3White.png"
- ],
- "version": "1.0.0",
- "title": "Semperis Directory Services Protector",
- "templateRelativePath": "SemperisDSPWorkbook.json",
- "subtitle": "",
- "provider": "Semperis"
- },
- {
- "workbookKey": "BoxWorkbook",
- "logoFileName": "box.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "BoxEvents_CL"
- ],
- "dataConnectorsDependencies": [
- "BoxDataConnector"
- ],
- "previewImagesFileNames": [
- "BoxBlack1.png",
- "BoxWhite1.png",
- "BoxBlack2.png",
- "BoxWhite2.png"
- ],
- "version": "1.0.0",
- "title": "Box",
- "templateRelativePath": "Box.json",
- "subtitle": "",
- "provider": "Box"
- },
- {
- "workbookKey": "SymantecEndpointProtection",
- "logoFileName": "symantec_logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "SymantecEndpointProtection"
- ],
- "dataConnectorsDependencies": [
- "SymantecEndpointProtection"
- ],
- "previewImagesFileNames": [
- "SymantecEndpointProtectionBlack.png",
- "SymantecEndpointProtectionWhite.png"
- ],
- "version": "1.0.0",
- "title": "Symantec Endpoint Protection",
- "templateRelativePath": "SymantecEndpointProtection.json",
- "subtitle": "",
- "provider": "Symantec"
- },
- {
- "workbookKey": "DynamicThreatModeling&Response",
- "logoFileName": "",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "SecurityAlert"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "ThreatAnalysis&ResponseWhite1.png",
- "ThreatAnalysis&ResponseWhite2.png"
- ],
- "version": "1.0.0",
- "title": "Dynamic Threat Modeling Response",
- "templateRelativePath": "DynamicThreatModeling&Response.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ThreatAnalysis&Response",
- "logoFileName": "",
- "description": "The Defenders for IoT workbook provide guided investigations for OT entities based on open incidents, alert notifications, and activities for OT assets. They also provide a hunting experience across the MITRE ATT&CK® framework for ICS, and are designed to enable analysts, security engineers, and MSSPs to gain situational awareness of OT security posture.",
- "dataTypesDependencies": [
- "SecurityAlert"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "ThreatAnalysis&ResponseWhite.png"
- ],
- "version": "1.0.1",
- "title": "Threat Analysis Response",
- "templateRelativePath": "ThreatAnalysis&Response.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "TrendMicroCAS",
- "logoFileName": "Trend_Micro_Logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "TrendMicroCAS_CL"
- ],
- "dataConnectorsDependencies": [
- "TrendMicroCAS"
- ],
- "previewImagesFileNames": [
- "TrendMicroCASBlack.png",
- "TrendMicroCASWhite.png"
- ],
- "version": "1.0.0",
- "title": "TrendMicroCAS",
- "templateRelativePath": "TrendMicroCAS.json",
- "subtitle": "",
- "provider": "TrendMicro"
- },
- {
- "workbookKey": "GitHubSecurityWorkbook",
- "logoFileName": "GitHub.svg",
- "description": "Gain insights to GitHub activities that may be interesting for security.",
- "dataTypesDependencies": [
- "GitHubAuditLogPolling_CL"
- ],
- "dataConnectorsDependencies": [
- "GitHubEcAuditLogPolling"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "GithubWorkbook",
- "templateRelativePath": "GitHubWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "GCPDNSWorkbook",
- "logoFileName": "google_logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "GCPCloudDNS"
- ],
- "dataConnectorsDependencies": [
- "GCPDNSDataConnector"
- ],
- "previewImagesFileNames": [
- "GCPDNSBlack.png",
- "GCPDNSWhite.png"
- ],
- "version": "1.0.0",
- "title": "Google Cloud Platform DNS",
- "templateRelativePath": "GCPDNS.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AtlassianJiraAuditWorkbook",
- "logoFileName": "",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "AtlassianJiraNativePoller_CL"
- ],
- "dataConnectorsDependencies": [
- "AtlassianJira"
- ],
- "previewImagesFileNames": [
- "AtlassianJiraAuditWhite.png",
- "AtlassianJiraAuditBlack.png"
- ],
- "version": "1.0.0",
- "title": "AtlassianJiraAudit",
- "templateRelativePath": "AtlassianJiraAudit.json",
- "subtitle": "",
- "provider": "Atlassian"
- },
- {
- "workbookKey": "DigitalGuardianWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "DigitalGuardianDLPEvent"
- ],
- "dataConnectorsDependencies": [
- "DigitalGuardianDLP"
- ],
- "previewImagesFileNames": [
- "DigitalGuardianBlack.png",
- "DigitalGuardianWhite.png"
- ],
- "version": "1.0.0",
- "title": "DigitalGuardianDLP",
- "templateRelativePath": "DigitalGuardian.json",
- "subtitle": "",
- "provider": "Digital Guardian"
- },
- {
- "workbookKey": "CiscoDuoWorkbook",
- "logoFileName": "cisco-logo-72px.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "CiscoDuo_CL"
- ],
- "dataConnectorsDependencies": [
- "CiscoDuoSecurity"
- ],
- "previewImagesFileNames": [
- "CiscoDuoWhite.png",
- "CiscoDuoBlack.png"
- ],
- "version": "1.0.0",
- "title": "CiscoDuoSecurity",
- "templateRelativePath": "CiscoDuo.json",
- "subtitle": "",
- "provider": "Cisco"
- },
- {
- "workbookKey": "SlackAudit",
- "logoFileName": "slacklogo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "SlackAudit_CL"
- ],
- "dataConnectorsDependencies": [
- "SlackAuditAPI"
- ],
- "previewImagesFileNames": [
- "SlackAuditApplicationActivityBlack1.png",
- "SlackAuditApplicationActivityWhite1.png"
- ],
- "version": "1.0.0",
- "title": "SlackAudit",
- "templateRelativePath": "SlackAudit.json",
- "subtitle": "",
- "provider": "Slack"
- },
- {
- "workbookKey": "CiscoWSAWorkbook",
- "logoFileName": "cisco-logo-72px.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "Syslog"
- ],
- "dataConnectorsDependencies": [
- "CiscoWSA"
- ],
- "previewImagesFileNames": [
- "CiscoWSAWhite.png",
- "CiscoWSABlack.png"
- ],
- "version": "1.0.0",
- "title": "CiscoWSA",
- "templateRelativePath": "CiscoWSA.json",
- "subtitle": "",
- "provider": "Cisco"
- },
- {
- "workbookKey": "GCP-IAM-Workbook",
- "logoFileName": "google_logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "GCP_IAM_CL"
- ],
- "dataConnectorsDependencies": [
- "GCPIAMDataConnector"
- ],
- "previewImagesFileNames": [
- "GCPIAMBlack01.png",
- "GCPIAMBlack02.png",
- "GCPIAMWhite01.png",
- "GCPIAMWhite02.png"
- ],
- "version": "1.0.0",
- "title": "Google Cloud Platform IAM",
- "templateRelativePath": "GCP_IAM.json",
- "subtitle": "",
- "provider": "Google"
- },
- {
- "workbookKey": "ImpervaWAFCloudWorkbook",
- "logoFileName": "Imperva_DarkGrey_final_75x75.svg",
- "description": "Sets the time name for analysis.",
- "dataTypesDependencies": [
- "ImpervaWAFCloud_CL"
- ],
- "dataConnectorsDependencies": [
- "ImpervaWAFCloudAPI"
- ],
- "previewImagesFileNames": [
- "ImpervaWAFCloudBlack01.png",
- "ImpervaWAFCloudBlack02.png",
- "ImpervaWAFCloudWhite01.png",
- "ImpervaWAFCloudWhite02.png"
- ],
- "version": "1.0.0",
- "title": "Imperva WAF Cloud Overview",
- "templateRelativePath": "Imperva WAF Cloud Overview.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ZscalerZPAWorkbook",
- "logoFileName": "ZscalerLogo.svg",
- "description": "Select the time range for this Overview.",
- "dataTypesDependencies": [
- "ZPA_CL"
- ],
- "dataConnectorsDependencies": [
- "ZscalerPrivateAccess"
- ],
- "previewImagesFileNames": [
- "ZscalerZPABlack.png",
- "ZscalerZPAWhite.png"
- ],
- "version": "1.0.0",
- "title": "Zscaler Private Access (ZPA)",
- "templateRelativePath": "ZscalerZPA.json",
- "subtitle": "",
- "provider": "Zscaler"
- },
- {
- "workbookKey": "GoogleWorkspaceWorkbook",
- "logoFileName": "google_logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "GWorkspace_ReportsAPI_admin_CL",
- "GWorkspace_ReportsAPI_calendar_CL",
- "GWorkspace_ReportsAPI_drive_CL",
- "GWorkspace_ReportsAPI_login_CL",
- "GWorkspace_ReportsAPI_login_CL",
- "GWorkspace_ReportsAPI_mobile_CL"
- ],
- "dataConnectorsDependencies": [
- "GoogleWorkspaceReportsAPI"
- ],
- "previewImagesFileNames": [
- "GoogleWorkspaceBlack.png",
- "GoogleWorkspaceWhite.png"
- ],
- "version": "1.0.0",
- "title": "GoogleWorkspaceReports",
- "templateRelativePath": "GoogleWorkspace.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "NCProtectWorkbook",
- "logoFileName": "NCProtectIcon.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "NCProtectUAL_CL"
- ],
- "dataConnectorsDependencies": [
- "NucleusCyberNCProtect"
- ],
- "previewImagesFileNames": [
- "",
- ""
- ],
- "version": "1.0.0",
- "title": "NucleusCyberProtect",
- "templateRelativePath": "NucleusCyber_NCProtect_Workbook.json",
- "subtitle": "",
- "provider": "archTIS"
- },
- {
- "workbookKey": "CiscoISEWorkbook",
- "logoFileName": "cisco-logo-72px.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "Syslog"
- ],
- "dataConnectorsDependencies": [
- "CiscoISE"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Cisco ISE",
- "templateRelativePath": "CiscoISE.json",
- "subtitle": "",
- "provider": "Cisco"
- },
- {
- "workbookKey": "IoTOTThreatMonitoringwithDefenderforIoTWorkbook",
- "logoFileName": "",
- "description": "The OT Threat Monitoring with Defender for IoT Workbook features OT filtering for Security Alerts, Incidents, Vulnerabilities and Asset Inventory. The workbook features a dynamic assessment of the MITRE ATT&CK for ICS matrix across your environment to analyze and respond to OT-based threats. This workbook is designed to enable SecOps Analysts, Security Engineers, and MSSPs to gain situational awareness for IT/OT security posture.",
- "dataTypesDependencies": [
- "SecurityAlert",
- "SecurityIncident"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Microsoft Defender for IoT",
- "templateRelativePath": "IoTOTThreatMonitoringwithDefenderforIoT.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ZeroTrust(TIC3.0)Workbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "SecurityRecommendation"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "ZeroTrust(TIC3.0)Black1.PNG",
- "ZeroTrust(TIC3.0)White1.PNG"
- ],
- "version": "1.0.0",
- "title": "ZeroTrust(TIC3.0)",
- "templateRelativePath": "ZeroTrustTIC3.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "CybersecurityMaturityModelCertification(CMMC)2.0Workbook",
- "logoFileName": "",
- "description": "Sets the time name for analysis.",
- "dataTypesDependencies": [
- "InformationProtectionLogs_CL",
- "AuditLogs",
- "SecurityIncident",
- "SigninLogs",
- "AzureActivity"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "CybersecurityMaturityModelCertification(CMMC)2.0",
- "templateRelativePath": "CybersecurityMaturityModelCertification_CMMCV2.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "NISTSP80053Workbook",
- "logoFileName": "",
- "description": "Sets the time name for analysis.",
- "dataTypesDependencies": [
- "SigninLogs",
- "AuditLogs",
- "AzureActivity",
- "OfficeActivity",
- "SecurityEvents",
- "CommonSecurityLog",
- "SecurityIncident",
- "SecurityRecommendation"
- ],
- "dataConnectorsDependencies": [
- "SecurityEvents"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "NISTSP80053workbook",
- "templateRelativePath": "NISTSP80053.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "DarktraceWorkbook",
- "logoFileName": "Darktrace.svg",
- "description": "The Darktrace Workbook visualises Model Breach and AI Analyst data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email.",
- "dataTypesDependencies": [
- "darktrace_model_alerts_CL"
- ],
- "dataConnectorsDependencies": [
- "DarktraceRESTConnector"
- ],
- "previewImagesFileNames": [
- "DarktraceWorkbookBlack01.png",
- "DarktraceWorkbookBlack02.png",
- "DarktraceWorkbookWhite01.png",
- "DarktraceWorkbookWhite02.png"
- ],
- "version": "1.0.1",
- "title": "Darktrace",
- "templateRelativePath": "DarktraceWorkbook.json",
- "subtitle": "",
- "provider": "Darktrace"
- },
- {
- "workbookKey": "RecordedFutureDomainC2DNSWorkbook",
- "logoFileName": "RecordedFuture.svg",
- "description": "Sets the time name for DNS Events and Threat Intelligence Time Range",
- "dataTypesDependencies": [
- "ThreatIntelligenceIndicator"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting",
- "templateRelativePath": "Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting.json",
- "subtitle": "",
- "provider": "Recorded Future"
- },
- {
- "workbookKey": "RecordedFutureIPActiveC2Workbook",
- "logoFileName": "RecordedFuture.svg",
- "description": "Sets the time name for DNS Events and Threat Intelligence Time Range",
- "dataTypesDependencies": [
- "ThreatIntelligenceIndicator"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting",
- "templateRelativePath": "Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting.json",
- "subtitle": "",
- "provider": "Recorded Future"
- },
- {
- "workbookKey": "MaturityModelForEventLogManagement_M2131",
- "logoFileName": "contrastsecurity_logo.svg",
- "description": "Select the time range for this Overview.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "MaturityModelForEventLogManagement_M2131Black.png"
- ],
- "version": "1.0.0",
- "title": "MaturityModelForEventLogManagementM2131",
- "templateRelativePath": "MaturityModelForEventLogManagement_M2131.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureSQLSecurityWorkbook",
- "logoFileName": "AzureSQL.svg",
- "description": "Sets the time window in days to search around the alert",
- "dataTypesDependencies": [
- "AzureDiagnostics",
- "SecurityAlert",
- "SecurityIncident"
- ],
- "dataConnectorsDependencies": [
- "AzureSql"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Azure SQL Database Workbook",
- "templateRelativePath": "Workbook-AzureSQLSecurity.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ContinuousDiagnostics&Mitigation",
- "logoFileName": "",
- "description": "Select the time range for this Overview.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "ContinuousDiagnostics&MitigationBlack.png"
- ],
- "version": "1.0.0",
- "title": "ContinuousDiagnostics&Mitigation",
- "templateRelativePath": "ContinuousDiagnostics&Mitigation.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "UserWorkbook-alexdemichieli-github-update-1",
- "logoFileName": "GitHub.svg",
- "description": "Repository selector.",
- "dataTypesDependencies": [
- "githubscanaudit_CL"
- ],
- "dataConnectorsDependencies": [
- "GitHubWebhook"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "GithubWorkbook-update-to-workbook-1",
- "templateRelativePath": "update-to-workbook-1.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AtlasianJiraAuditWorkbook",
- "logoFileName": "",
- "description": "Select the time range for this Overview.",
- "dataTypesDependencies": [
- "AtlassianJiraNativePoller_CL"
- ],
- "dataConnectorsDependencies": [
- "AtlassianJira"
- ],
- "previewImagesFileNames": [
- "AtlassianJiraAuditBlack.png",
- "AtlassianJiraAuditWhite.png"
- ],
- "version": "1.0.0",
- "title": "AtlasianJiraAuditWorkbook",
- "templateRelativePath": "AtlasianJiraAuditWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AzureSecurityBenchmark",
- "logoFileName": "",
- "description": "Azure Security Benchmark v3 Workbook provides a mechanism for viewing log queries, azure resource graph, and policies aligned to ASB controls across Microsoft security offerings, Azure, Microsoft 365, 3rd Party, On-Premises, and Multi-cloud workloads. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective ASB requirements and practices.",
- "dataTypesDependencies": [
- "SecurityRegulatoryCompliance",
- "AzureDiagnostics",
- "SecurityIncident",
- "SigninLogs",
- "SecurityAlert"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "AzureSecurityBenchmark1.png",
- "AzureSecurityBenchmark2.png",
- "AzureSecurityBenchmark3.png"
- ],
- "version": "1.0.0",
- "title": "Azure Security Benchmark",
- "templateRelativePath": "AzureSecurityBenchmark.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ZNAccessOchestratorAudit",
- "logoFileName": "",
- "description": "This workbook provides a summary of ZeroNetworks data.",
- "dataTypesDependencies": [
- "ZNAccessOrchestratorAudit_CL",
- "ZNAccessOrchestratorAuditNativePoller_CL"
- ],
- "dataConnectorsDependencies": [
- "ZeroNetworksAccessOrchestratorAuditFunction",
- "ZeroNetworksAccessOrchestratorAuditNativePoller"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Zero NetWork",
- "templateRelativePath": "ZNSegmentAudit.json",
- "subtitle": "",
- "provider": "Zero Networks"
- },
- {
- "workbookKey": "FireworkWorkbook",
- "logoFileName": "FlareSystems.svg",
- "description": "Select the time range for this Overview.",
- "dataTypesDependencies": [
- "Firework_CL"
- ],
- "dataConnectorsDependencies": [
- "FlareSystemsFirework"
- ],
- "previewImagesFileNames": [
- "FireworkOverviewBlack01.png",
- "FireworkOverviewBlack02.png",
- "FireworkOverviewWhite01.png",
- "FireworkOverviewWhite02.png"
- ],
- "version": "1.0.0",
- "title": "FlareSystemsFirework",
- "templateRelativePath": "FlareSystemsFireworkOverview.json",
- "subtitle": "",
- "provider": "Flare Systems"
- },
- {
- "workbookKey": "UserWorkbook-alexdemichieli-github-update-1",
- "logoFileName": "GitHub.svg",
- "description": "Gain insights to GitHub activities that may be interesting for security.",
- "dataTypesDependencies": [
- "GitHubAuditLogPolling_CL"
- ],
- "dataConnectorsDependencies": [
- "GitHubEcAuditLogPolling"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "GitHub Security",
- "templateRelativePath": "GitHubAdvancedSecurity.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "TaniumWorkbook",
- "logoFileName": "Tanium.svg",
- "description": "Visualize Tanium endpoint and module data",
- "dataTypesDependencies": [
- "TaniumComplyCompliance_CL",
- "TaniumComplyVulnerabilities_CL",
- "TaniumDefenderHealth_CL",
- "TaniumDiscoverUnmanagedAssets_CL",
- "TaniumHighUptime_CL",
- "TaniumMainAsset_CL",
- "TaniumPatchListApplicability_CL",
- "TaniumPatchListCompliance_CL",
- "TaniumSCCMClientHealth_CL",
- "TaniumThreatResponse_CL"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "TaniumComplyDark.png",
- "TaniumComplyLight.png",
- "TaniumDiscoverDark.png",
- "TaniumDiscoverLight.png",
- "TaniumMSToolingHealthDark.png",
- "TaniumMSToolingHealthLight.png",
- "TaniumPatchDark.png",
- "TaniumPatchLight.png",
- "TaniumThreatResponseAlertsDark.png",
- "TaniumThreatResponseAlertsLight.png",
- "TaniumThreatResponseDark.png",
- "TaniumThreatResponseLight.png"
- ],
- "version": "1.0",
- "title": "Tanium Workbook",
- "templateRelativePath": "TaniumWorkbook.json",
- "subtitle": "",
- "provider": "Tanium"
- },
- {
- "workbookKey": "ActionableAlertsDashboard",
- "logoFileName": "",
- "description": "None.",
- "dataTypesDependencies": [
- "CyberSixgill_Alerts_CL"
- ],
- "dataConnectorsDependencies": [
- "CybersixgillActionableAlerts"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Cybersixgill Actionable Alerts Dashboard",
- "templateRelativePath": "ActionableAlertsDashboard.json",
- "subtitle": "",
- "provider": "Cybersixgill"
- },
- {
- "workbookKey": "ActionableAlertsList",
- "logoFileName": "",
- "description": "None.",
- "dataTypesDependencies": [
- "CyberSixgill_Alerts_CL"
- ],
- "dataConnectorsDependencies": [
- "CybersixgillActionableAlerts"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Cybersixgill Actionable Alerts List",
- "templateRelativePath": "ActionableAlertsList.json",
- "subtitle": "",
- "provider": "Cybersixgill"
- },
- {
- "workbookKey": "ArgosCloudSecurityWorkbook",
- "logoFileName": "argos-logo.svg",
- "description": "The ARGOS Cloud Security integration for Microsoft Sentinel allows you to have all your important cloud security events in one place.",
- "dataTypesDependencies": [
- "ARGOS_CL"
- ],
- "dataConnectorsDependencies": [
- "ARGOSCloudSecurity"
- ],
- "previewImagesFileNames": [
- "ARGOSCloudSecurityWorkbookBlack.png",
- "ARGOSCloudSecurityWorkbookWhite.png"
- ],
- "version": "1.0.0",
- "title": "ARGOS Cloud Security",
- "templateRelativePath": "ARGOSCloudSecurityWorkbook.json",
- "subtitle": "",
- "provider": "ARGOS Cloud Security"
- },
- {
- "workbookKey": "JamfProtectWorkbook",
- "logoFileName": "jamf_logo.svg",
- "description": "This Jamf Protect Workbook for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel.\n Providing reports into all alerts, device controls and Unfied Logs.",
- "dataTypesDependencies": [
- "jamfprotect_CL"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "JamfProtectDashboardBlack.png",
- "JamfProtectDashboardWhite.png"
- ],
- "version": "2.0.0",
- "title": "Jamf Protect Workbook",
- "templateRelativePath": "JamfProtectDashboard.json",
- "subtitle": "",
- "provider": "Jamf Software, LLC"
- },
- {
- "workbookKey": "AIVectraStream",
- "logoFileName": "",
- "description": "",
- "dataTypesDependencies": [
- "VectraStream_CL"
- ],
- "dataConnectorsDependencies": [
- "AIVectraStream"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "AIVectraStreamWorkbook",
- "templateRelativePath": "AIVectraStreamWorkbook.json",
- "subtitle": "",
- "provider": "Vectra AI"
- },
- {
- "workbookKey": "SecurityScorecardWorkbook",
- "logoFileName": "",
- "description": "This Workbook provides immediate insight into the data coming from SecurityScorecard’s three Sentinel data connectors: SecurityScorecard Cybersecurity Ratings, SecurityScorecard Cybersecurity Ratings - Factors, and SecurityScorecard Cybersecurity Ratings - Issues.",
- "dataTypesDependencies": [
- "SecurityScorecardFactor_CL",
- "SecurityScorecardIssues_CL",
- "SecurityScorecardRatings_CL"
- ],
- "dataConnectorsDependencies": [
- "SecurityScorecardFactorAzureFunctions",
- "SecurityScorecardIssueAzureFunctions",
- "SecurityScorecardRatingsAzureFunctions"
- ],
- "previewImagesFileNames": [
- "SecurityScorecardBlack1.png",
- "SecurityScorecardBlack2.png",
- "SecurityScorecardBlack3.png",
- "SecurityScorecardBlack4.png",
- "SecurityScorecardBlack5.png",
- "SecurityScorecardBlack6.png",
- "SecurityScorecardWhite1.png",
- "SecurityScorecardWhite2.png",
- "SecurityScorecardWhite3.png",
- "SecurityScorecardWhite4.png",
- "SecurityScorecardWhite5.png",
- "SecurityScorecardWhite6.png"
- ],
- "version": "1.0.0",
- "title": "SecurityScorecard",
- "templateRelativePath": "SecurityScorecardWorkbook.json",
- "subtitle": "",
- "provider": "SecurityScorecard"
- },
- {
- "workbookKey": "DigitalShadowsWorkbook",
- "logoFileName": "DigitalShadowsLogo.svg",
- "description": "For gaining insights into Digital Shadows logs.",
- "dataTypesDependencies": [
- "DigitalShadows_CL"
- ],
- "dataConnectorsDependencies": [
- "DigitalShadowsSearchlightAzureFunctions"
- ],
- "previewImagesFileNames": [
- "DigitalShadowsBlack1.png",
- "DigitalShadowsBlack2.png",
- "DigitalShadowsBlack3.png",
- "DigitalShadowsWhite1.png",
- "DigitalShadowsWhite2.png",
- "DigitalShadowsWhite3.png"
- ],
- "version": "1.0.0",
- "title": "Digital Shadows",
- "templateRelativePath": "DigitalShadows.json",
- "subtitle": "",
- "provider": "Digital Shadows"
- },
- {
- "workbookKey": "SalesforceServiceCloudWorkbook",
- "logoFileName": "salesforce_logo.svg",
- "description": "Sets the time name for analysis.",
- "dataTypesDependencies": [
- "SalesforceServiceCloud"
- ],
- "dataConnectorsDependencies": [
- "SalesforceServiceCloud_CL"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Salesforce Service Cloud",
- "templateRelativePath": "SalesforceServiceCloud.json",
- "subtitle": "",
- "provider": "Salesforce"
- },
- {
- "workbookKey": "NetworkSessionSolution",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This workbook is included as part of Network Session Essentials solution and gives a summary of analyzed traffic, helps with threat analysis and investigating suspicious IP’s and traffic analysis. Network Session Essentials Solution also includes playbooks to periodically summarize the logs thus enhancing user experience and improving data search. For the effective usage of workbook, we highly recommend to enable the summarization playbooks that are provided with this solution.",
- "dataTypesDependencies": [
- "AWSVPCFlow",
- "DeviceNetworkEvents",
- "SecurityEvent",
- "WindowsEvent",
- "CommonSecurityLog",
- "Syslog",
- "CommonSecurityLog",
- "VMConnection",
- "AzureDiagnostics",
- "AzureDiagnostics",
- "CommonSecurityLog",
- "Corelight_CL",
- "VectraStream",
- "CommonSecurityLog",
- "CommonSecurityLog",
- "Syslog",
- "CiscoMerakiNativePoller"
- ],
- "dataConnectorsDependencies": [
- "AWSS3",
- "MicrosoftThreatProtection",
- "SecurityEvents",
- "WindowsForwardedEvents",
- "Zscaler",
- "MicrosoftSysmonForLinux",
- "PaloAltoNetworks",
- "AzureMonitor(VMInsights)",
- "AzureFirewall",
- "AzureNSG",
- "CiscoASA",
- "Corelight",
- "AIVectraStream",
- "CheckPoint",
- "Fortinet",
- "CiscoMeraki"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Network Session Essentials",
- "templateRelativePath": "NetworkSessionEssentials.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "SAPSODAnalysis",
- "logoFileName": "AliterConsulting.svg",
- "description": "SAP SOD Analysis",
- "dataTypesDependencies": [
- "SAPAuditLog"
- ],
- "dataConnectorsDependencies": [
- "SAP"
- ],
- "previewImagesFileNames": [],
- "version": "2.0.0",
- "title": "SAP SOD Analysis",
- "templateRelativePath": "SAP - Segregation of Duties v2.0 (by Aliter Consulting).json",
- "subtitle": "",
- "provider": "Aliter Consulting"
- },
- {
- "workbookKey": "TheomWorkbook",
- "logoFileName": "theom-logo.svg",
- "description": "Theom Alert Statistics",
- "dataTypesDependencies": [
- "TheomAlerts_CL"
- ],
- "dataConnectorsDependencies": [
- "Theom"
- ],
- "previewImagesFileNames": [
- "TheomWorkbook-black.png",
- "TheomWorkbook-white.png"
- ],
- "version": "1.0.0",
- "title": "Theom",
- "templateRelativePath": "Theom.json",
- "subtitle": "",
- "provider": "Theom"
- },
- {
- "workbookKey": "DynatraceWorkbooks",
- "logoFileName": "dynatrace.svg",
- "description": "This workbook brings together queries and visualizations to assist you in identifying potential threats surfaced by Dynatrace.",
- "dataTypesDependencies": [
- "DynatraceAttacks_CL",
- "DynatraceAuditLogs_CL",
- "DynatraceProblems_CL",
- "DynatraceSecurityProblems_CL"
- ],
- "dataConnectorsDependencies": [
- "DynatraceAttacks",
- "DynatraceAuditLogs",
- "DynatraceProblems",
- "DynatraceRuntimeVulnerabilities"
- ],
- "previewImagesFileNames": [
- "DynatraceWorkbookBlack.png",
- "DynatraceWorkbookWhite.png"
- ],
- "version": "2.0.0",
- "title": "Dynatrace",
- "templateRelativePath": "Dynatrace.json",
- "subtitle": "",
- "provider": "Dynatrace"
- },
- {
- "workbookKey": "MDOWorkbook",
- "logoFileName": "",
- "description": "Gain extensive insight into your organization's Microsoft Defender for Office Activity by analyzing, and correlating events.\nYou can track malware and phishing detection over time.",
- "dataTypesDependencies": [
- "SecurityAlert"
- ],
- "dataConnectorsDependencies": [
- "MicrosoftThreatProtection"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Microsoft 365 Defender MDOWorkbook",
- "templateRelativePath": "MDO Insights.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "AnomaliesVisualizationWorkbook",
- "logoFileName": "",
- "description": "A workbook that provides contextual information to a user for better insight on Anomalies and their impact. The workbook will help with investigation of anomalies as well as identify patterns that can lead to a threat.",
- "dataTypesDependencies": [
- "Anomalies"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "AnomaliesVisualizationWorkbookWhite.png",
- "AnomaliesVisualizationWorkbookBlack.png"
- ],
- "version": "1.0.0",
- "title": "AnomaliesVisulization",
- "templateRelativePath": "AnomaliesVisualization.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "AnomalyDataWorkbook",
- "logoFileName": "",
- "description": "A workbook providing details, related Incident, and related Hunting Workbook for a specific Anomaly.",
- "dataTypesDependencies": [
- "Anomalies"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "AnomalyDataWorkbookWhite.png",
- "AnomalyDataWorkbookBlack.png"
- ],
- "version": "1.0.0",
- "title": "AnomalyData",
- "templateRelativePath": "AnomalyData.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
- },
- {
- "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC-Online",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This Workbook, dedicated to Exchange Online environments is built to have a simple view of non-standard RBAC delegations on an Exchange Online tenant. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.",
- "dataTypesDependencies": [
- "ESIExchangeOnlineConfig_CL"
- ],
- "dataConnectorsDependencies": [
- "ESI-ExchangeOnPremisesCollector",
- "ESI-ExchangeAdminAuditLogEvents",
- "ESI-ExchangeOnlineCollector"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Microsoft Exchange Least Privilege with RBAC - Online",
- "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC - Online.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.",
- "dataTypesDependencies": [
- "ESIExchangeOnlineConfig_CL"
- ],
- "dataConnectorsDependencies": [
- "ESI-ExchangeOnPremisesCollector",
- "ESI-ExchangeAdminAuditLogEvents",
- "ESI-ExchangeOnlineCollector"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Microsoft Exchange Least Privilege with RBAC",
- "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "MicrosoftExchangeSearchAdminAuditLog",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment.",
- "dataTypesDependencies": [
- "ESIExchangeOnlineConfig_CL"
- ],
- "dataConnectorsDependencies": [
- "ESI-ExchangeOnPremisesCollector",
- "ESI-ExchangeAdminAuditLogEvents",
- "ESI-ExchangeOnlineCollector"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Microsoft Exchange Search AdminAuditLog",
- "templateRelativePath": "Microsoft Exchange Search AdminAuditLog.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "MicrosoftExchangeSecurityMonitoring",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers.",
- "dataTypesDependencies": [
- "ESIExchangeOnlineConfig_CL"
- ],
- "dataConnectorsDependencies": [
- "ESI-ExchangeOnPremisesCollector",
- "ESI-ExchangeAdminAuditLogEvents",
- "ESI-ExchangeOnlineCollector"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Microsoft Exchange Admin Activity",
- "templateRelativePath": "Microsoft Exchange Admin Activity.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "MicrosoftExchangeSecurityReview-Online",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This Workbook is dedicated to Exchange Online tenants. It displays and highlights current Security configuration on various Exchange components specific to Online including delegations, the transport configuration and the linked security risks, and risky protocols.",
- "dataTypesDependencies": [
- "ESIExchangeOnlineConfig_CL"
- ],
- "dataConnectorsDependencies": [
- "ESI-ExchangeOnPremisesCollector",
- "ESI-ExchangeAdminAuditLogEvents",
- "ESI-ExchangeOnlineCollector"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Microsoft Exchange Security Review - Online",
- "templateRelativePath": "Microsoft Exchange Security Review - Online.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "MicrosoftExchangeSecurityReview",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks.",
- "dataTypesDependencies": [
- "ESIExchangeOnlineConfig_CL"
- ],
- "dataConnectorsDependencies": [
- "ESI-ExchangeOnPremisesCollector",
- "ESI-ExchangeAdminAuditLogEvents",
- "ESI-ExchangeOnlineCollector"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Microsoft Exchange Security Review",
- "templateRelativePath": "Microsoft Exchange Security Review.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ibossMalwareAndC2Workbook",
- "logoFileName": "",
- "description": "A workbook providing insights into malware and C2 activity detected by iboss.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "iboss Malware and C2",
- "templateRelativePath": "ibossMalwareAndC2.json",
- "subtitle": "",
- "provider": "iboss"
- },
- {
- "workbookKey": "ibossWebUsageWorkbook",
- "logoFileName": "",
- "description": "A workbook providing insights into web usage activity detected by iboss.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "iboss Web Usage",
- "templateRelativePath": "ibossWebUsage.json",
- "subtitle": "",
- "provider": "iboss"
- },
- {
- "workbookKey": "CynerioOverviewWorkbook",
- "logoFileName": "",
- "description": "An overview of Cynerio Security events",
- "dataTypesDependencies": ["CynerioEvent_CL"],
- "dataConnectorsDependencies": ["CynerioSecurityEvents"],
- "previewImagesFileNames": ["CynerioOverviewBlack.png", "CynerioOverviewWhite.png"],
- "version": "1.0.0",
- "title": "Cynerio Overview Workbook",
- "templateRelativePath": "CynerioOverviewWorkbook.json",
- "subtitle": "",
- "provider": "Cynerio"
- },
- {
- "workbookKey": "Fortiweb-workbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "This workbook depends on a parser based on a Kusto Function to work as expected [**Fortiweb**](https://aka.ms/sentinel-FortiwebDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.",
- "dataTypesDependencies": [
- "CommonSecurityLog"
- ],
- "dataConnectorsDependencies": [
- "FortinetFortiWeb"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "Fortiweb-workbook",
- "templateRelativePath": "Fortiweb-workbook.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "ReversingLabs-CapabilitiesOverview",
- "logoFileName": "reversinglabs.svg",
- "description": "The ReversingLabs-CapabilitiesOverview workbook provides a high level look at your threat intelligence capabilities and how they relate to your operations.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "ReversingLabsTiSummary-White.png",
- "ReversingLabsTiSummary-Black.png",
- "ReversingLabsOpsSummary-White.png",
- "ReversingLabsOpsSummary-Black.png"
- ],
- "version": "1.1.1",
- "title": "ReversingLabs-CapabilitiesOverview",
- "templateRelativePath": "ReversingLabs-CapabilitiesOverview.json",
- "subtitle": "",
- "provider": "ReversingLabs"
- },
- {
- "workbookKey": "TalonInsights",
- "logoFileName": "Talon.svg",
- "description": "This workbook provides Talon Security Insights on Log Analytics Query Logs",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "TalonInsightsBlack.png",
- "TalonInsightsWhite.png"
- ],
- "version": "2.0.0",
- "title": "Talon Insights",
- "templateRelativePath": "TalonInsights.json",
- "subtitle": "",
- "provider": "Talon Security"
- },
- {
- "workbookKey": "vCenter",
- "logoFileName": [],
- "description": "This data connector depends on a parser based on Kusto Function **vCenter** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-vCenter-parser)",
- "dataTypesDependencies": [
- "vCenter_CL"
- ],
- "dataConnectorsDependencies": [
- "VMwarevCenter"
- ],
- "previewImagesFileNames": [],
- "version": "1.0.0",
- "title": "vCenter",
- "templateRelativePath": "vCenter.json",
- "subtitle": "",
- "provider": "VMware"
- },
- {
- "workbookKey": "SAP-Monitors-AlertsandPerformance",
- "logoFileName": "SAPVMIcon.svg",
- "description": "SAP -Monitors- Alerts and Performance",
- "dataTypesDependencies": [
- "SAPAuditLog"
- ],
- "dataConnectorsDependencies": [
- "SAP"
- ],
- "previewImagesFileNames": [
- "SAPVMIcon.svg"
- ],
- "version": "2.0.1",
- "title": "SAP -Monitors- Alerts and Performance",
- "templateRelativePath": "SAP -Monitors- Alerts and Performance.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "SAP-SecurityAuditlogandInitialAccess",
- "logoFileName": "SAPVMIcon.svg",
- "description": "SAP -Security Audit log and Initial Access",
- "dataTypesDependencies": [
- "SAPAuditLog"
- ],
- "dataConnectorsDependencies": [
- "SAP"
- ],
- "previewImagesFileNames": [
- "SAPVMIcon.svg"
- ],
- "version": "2.0.1",
- "title": "SAP -Security Audit log and Initial Access",
- "templateRelativePath": "SAP -Security Audit log and Initial Access.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "DNSSolutionWorkbook",
- "logoFileName": "",
- "description": "This workbook is included as part of the DNS Essentials solution and gives a summary of analyzed DNS traffic. It also helps with threat analysis and investigating suspicious Domains, IPs and DNS traffic. DNS Essentials Solution also includes a playbook to periodically summarize the logs, thus enhancing the user experience and improving data search. For effective usage of workbook, we highly recommend enabling the summarization playbook that is provided with this solution.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "DNSDomainWorkbookWhite.png",
- "DNSDomainWorkbookBlack.png"
- ],
- "version": "1.0.0",
- "title": "DNS Solution Workbook",
- "templateRelativePath": "DNSSolutionWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "MicrosoftPowerBIActivityWorkbook",
- "logoFileName": "",
- "description": "This workbook provides details on Microsoft PowerBI Activity",
- "dataTypesDependencies": [
- "PowerBIActivity"
- ],
- "dataConnectorsDependencies": [
- "Microsoft PowerBI (Preview)"
- ],
- "previewImagesFileNames": [
- "MicrosoftPowerBIActivityWorkbookBlack.png",
- "MicrosoftPowerBIActivityWhite.png"
- ],
- "version": "1.0.0",
- "title": "Microsoft PowerBI Activity Workbook",
- "templateRelativePath": "MicrosoftPowerBIActivityWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "MicrosoftThreatIntelligenceWorkbook",
+ {
+ "workbookKey": "42CrunchAPIProtectionWorkbook",
+ "logoFileName": "42CrunchLogo.svg",
+ "description": "Monitor and protect APIs using the 42Crunch API microfirewall",
+ "dataTypesDependencies": [
+ "apifirewall_log_1_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "42CrunchAPIProtection"
+ ],
+ "previewImagesFileNames": [
+ "42CrunchInstancesBlack.png",
+ "42CrunchInstancesWhite.png",
+ "42CrunchRequestsBlack.png",
+ "42CrunchRequestsWhite.png",
+ "42CrunchStatusBlack.png",
+ "42CrunchStatusWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "42Crunch API Protection Workbook",
+ "templateRelativePath": "42CrunchAPIProtectionWorkbook.json",
+ "subtitle": "",
+ "provider": "42Crunch"
+ },
+ {
+ "workbookKey": "ForcepointNGFWAdvanced",
+ "logoFileName": "FPAdvLogo.svg",
+ "description": "Gain threat intelligence correlated security and application insights on Forcepoint NGFW (Next Generation Firewall). Monitor Forcepoint logging servers health.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog",
+ "ThreatIntelligenceIndicator"
+ ],
+ "dataConnectorsDependencies": [
+ "ForcepointNgfw",
+ "ThreatIntelligence"
+ ],
+ "previewImagesFileNames": [
+ "ForcepointNGFWAdvancedWhite.png",
+ "ForcepointNGFWAdvancedBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Forcepoint Next Generation Firewall (NGFW) Advanced Workbook",
+ "templateRelativePath": "ForcepointNGFWAdvanced.json",
+ "subtitle": "",
+ "provider": "Forcepoint"
+ },
+ {
+ "workbookKey": "AzureActivityWorkbook",
+ "logoFileName": "azureactivity_logo.svg",
+ "description": "Gain extensive insight into your organization's Azure Activity by analyzing, and correlating all user operations and events.\nYou can learn about all user operations, trends, and anomalous changes over time.\nThis workbook gives you the ability to drill down into caller activities and summarize detected failure and warning events.",
+ "dataTypesDependencies": [
+ "AzureActivity"
+ ],
+ "dataConnectorsDependencies": [
+ "AzureActivity"
+ ],
+ "previewImagesFileNames": [
+ "AzureActivityWhite1.png",
+ "AzureActivityBlack1.png"
+ ],
+ "version": "2.0.0",
+ "title": "Azure Activity",
+ "templateRelativePath": "AzureActivity.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "IdentityAndAccessWorkbook",
+ "logoFileName": "Microsoft_logo.svg",
+ "description": "Gain insights into Identity and access operations by collecting and analyzing security logs, using the audit and sign-in logs to gather insights into use of Microsoft products.\nYou can view anomalies and trends across login events from all users and machines. This workbook also identifies suspicious entities from login and access events.",
+ "dataTypesDependencies": [
+ "SecurityEvent"
+ ],
+ "dataConnectorsDependencies": [
+ "SecurityEvents",
+ "WindowsSecurityEvents"
+ ],
+ "previewImagesFileNames": [
+ "IdentityAndAccessWhite.png",
+ "IdentityAndAccessBlack.png"
+ ],
+ "version": "1.1.0",
+ "title": "Identity & Access",
+ "templateRelativePath": "IdentityAndAccess.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "CheckPointWorkbook",
+ "logoFileName": "checkpoint_logo.svg",
+ "description": "Gain insights into Check Point network activities, including number of gateways and servers, security incidents, and identify infected hosts.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "CheckPoint"
+ ],
+ "previewImagesFileNames": [
+ "CheckPointWhite.png",
+ "CheckPointBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Check Point Software Technologies",
+ "templateRelativePath": "CheckPoint.json",
+ "subtitle": "",
+ "provider": "Check Point"
+ },
+ {
+ "workbookKey": "CiscoWorkbook",
+ "logoFileName": "cisco_logo.svg",
+ "description": "Gain insights into your Cisco ASA firewalls by analyzing traffic, events, and firewall operations.\nThis workbook analyzes Cisco ASA threat events and identifies suspicious ports, users, protocols and IP addresses.\nYou can learn about trends across user and data traffic directions, and drill down into the Cisco filter results.\nEasily detect attacks on your organization by monitoring management operations, such as configuration and logins.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "CiscoASA"
+ ],
+ "previewImagesFileNames": [
+ "CiscoWhite.png",
+ "CiscoBlack.png"
+ ],
+ "version": "1.1.0",
+ "title": "Cisco - ASA",
+ "templateRelativePath": "Cisco.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "PaloAltoOverviewWorkbook",
+ "logoFileName": "paloalto_logo.svg",
+ "description": "Gain insights and comprehensive monitoring into Palo Alto firewalls by analyzing traffic and activities.\nThis workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships.\nYou can learn about trends across user and data traffic, and drill down into Palo Alto Wildfire and filter results.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "PaloAltoNetworks"
+ ],
+ "previewImagesFileNames": [
+ "PaloAltoOverviewWhite1.png",
+ "PaloAltoOverviewBlack1.png",
+ "PaloAltoOverviewWhite2.png",
+ "PaloAltoOverviewBlack2.png",
+ "PaloAltoOverviewWhite3.png",
+ "PaloAltoOverviewBlack3.png"
+ ],
+ "version": "1.2.0",
+ "title": "Palo Alto overview",
+ "templateRelativePath": "PaloAltoOverview.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "PaloAltoNetworkThreatWorkbook",
+ "logoFileName": "paloalto_logo.svg",
+ "description": "Gain insights into Palo Alto network activities by analyzing threat events.\nYou can extract meaningful security information by correlating data between threats, applications, and time.\nThis workbook makes it easy to track malware, vulnerability, and virus log events.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "PaloAltoNetworks"
+ ],
+ "previewImagesFileNames": [
+ "PaloAltoNetworkThreatWhite1.png",
+ "PaloAltoNetworkThreatBlack1.png",
+ "PaloAltoNetworkThreatWhite2.png",
+ "PaloAltoNetworkThreatBlack2.png"
+ ],
+ "version": "1.1.0",
+ "title": "Palo Alto Network Threat",
+ "templateRelativePath": "PaloAltoNetworkThreat.json",
+ "subtitle": "",
+ "provider": "Palo Alto Networks"
+ },
+ {
+ "workbookKey": "EsetSMCWorkbook",
+ "logoFileName": "eset-logo.svg",
+ "description": "Visualize events and threats from Eset Security Management Center.",
+ "dataTypesDependencies": [
+ "eset_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "EsetSMC"
+ ],
+ "previewImagesFileNames": [
+ "esetSMCWorkbook-black.png",
+ "esetSMCWorkbook-white.png"
+ ],
+ "version": "1.0.0",
+ "title": "Eset Security Management Center Overview",
+ "templateRelativePath": "esetSMCWorkbook.json",
+ "subtitle": "",
+ "provider": "Community"
+ },
+ {
+ "workbookKey": "FortigateWorkbook",
+ "logoFileName": "fortinet_logo.svg",
+ "description": "Gain insights into Fortigate firewalls by analyzing traffic and activities.\nThis workbook finds correlations in Fortigate threat events and identifies suspicious ports, users, protocols and IP addresses.\nYou can learn about trends across user and data traffic, and drill down into the Fortigate filter results.\nEasily detect attacks on your organization by monitoring management operations such as configuration and logins.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "Fortinet"
+ ],
+ "previewImagesFileNames": [
+ "FortigateWhite.png",
+ "FortigateBlack.png"
+ ],
+ "version": "1.1.0",
+ "title": "FortiGate",
+ "templateRelativePath": "Fortigate.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "DnsWorkbook",
+ "logoFileName": "dns_logo.svg",
+ "description": "Gain extensive insight into your organization's DNS by analyzing, collecting and correlating all DNS events.\nThis workbook exposes a variety of information about suspicious queries, malicious IP addresses and domain operations.",
+ "dataTypesDependencies": [
+ "DnsInventory",
+ "DnsEvents"
+ ],
+ "dataConnectorsDependencies": [
+ "DNS"
+ ],
+ "previewImagesFileNames": [
+ "DnsWhite.png",
+ "DnsBlack.png"
+ ],
+ "version": "1.3.0",
+ "title": "DNS",
+ "templateRelativePath": "Dns.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AzureActiveDirectorySigninLogsWorkbook",
+ "logoFileName": "azureactivedirectory_logo.svg",
+ "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.",
+ "dataTypesDependencies": [
+ "SigninLogs"
+ ],
+ "dataConnectorsDependencies": [
+ "AzureActiveDirectory"
+ ],
+ "previewImagesFileNames": [
+ "AADsigninBlack1.png",
+ "AADsigninBlack2.png",
+ "AADsigninWhite1.png",
+ "AADsigninWhite2.png"
+ ],
+ "version": "2.4.0",
+ "title": "Azure AD Sign-in logs",
+ "templateRelativePath": "AzureActiveDirectorySignins.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "VirtualMachinesInsightsWorkbook",
+ "logoFileName": "azurevirtualmachine_logo.svg",
+ "description": "Gain rich insight into your organization's virtual machines from Azure Monitor, which analyzes and correlates data in your VM network. \nYou will get visibility on your VM parameters and behavior, and will be able to trace sent and received data. \nIdentify malicious attackers and their targets, and drill down into the protocols, source and destination IP addresses, countries, and ports the attacks occur across.",
+ "dataTypesDependencies": [
+ "VMConnection",
+ "ServiceMapComputer_CL",
+ "ServiceMapProcess_CL"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "VMInsightBlack1.png",
+ "VMInsightWhite1.png"
+ ],
+ "version": "1.3.0",
+ "title": "VM insights",
+ "templateRelativePath": "VirtualMachinesInsights.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AzureActiveDirectoryAuditLogsWorkbook",
+ "logoFileName": "azureactivedirectory_logo.svg",
+ "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.",
+ "dataTypesDependencies": [
+ "AuditLogs"
+ ],
+ "dataConnectorsDependencies": [
+ "AzureActiveDirectory"
+ ],
+ "previewImagesFileNames": [
+ "AzureADAuditLogsBlack1.png",
+ "AzureADAuditLogsWhite1.png"
+ ],
+ "version": "1.2.0",
+ "title": "Azure AD Audit logs",
+ "templateRelativePath": "AzureActiveDirectoryAuditLogs.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "ThreatIntelligenceWorkbook",
+ "logoFileName": "",
+ "description": "Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable.",
+ "dataTypesDependencies": [
+ "ThreatIntelligenceIndicator",
+ "SecurityIncident"
+ ],
+ "dataConnectorsDependencies": [
+ "ThreatIntelligence",
+ "ThreatIntelligenceTaxii"
+ ],
+ "previewImagesFileNames": [
+ "ThreatIntelligenceWhite.png",
+ "ThreatIntelligenceBlack.png"
+ ],
+ "version": "5.0.0",
+ "title": "Threat Intelligence",
+ "templateRelativePath": "ThreatIntelligence.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "WebApplicationFirewallOverviewWorkbook",
+ "logoFileName": "waf_logo.svg",
+ "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get a general overview of your application gateway firewall and application gateway access events.",
+ "dataTypesDependencies": [
+ "AzureDiagnostics"
+ ],
+ "dataConnectorsDependencies": [
+ "WAF"
+ ],
+ "previewImagesFileNames": [
+ "WAFOverviewBlack.png",
+ "WAFOverviewWhite.png"
+ ],
+ "version": "1.1.0",
+ "title": "Microsoft Web Application Firewall (WAF) - overview",
+ "templateRelativePath": "WebApplicationFirewallOverview.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "WebApplicationFirewallFirewallEventsWorkbook",
+ "logoFileName": "waf_logo.svg",
+ "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get visibility in to your application gateway firewall. You can view anomalies and trends across all firewall event triggers, attack events, blocked URL addresses and more.",
+ "dataTypesDependencies": [
+ "AzureDiagnostics"
+ ],
+ "dataConnectorsDependencies": [
+ "WAF"
+ ],
+ "previewImagesFileNames": [
+ "WAFFirewallEventsBlack1.png",
+ "WAFFirewallEventsBlack2.png",
+ "WAFFirewallEventsWhite1.png",
+ "WAFFirewallEventsWhite2.png"
+ ],
+ "version": "1.1.0",
+ "title": "Microsoft Web Application Firewall (WAF) - firewall events",
+ "templateRelativePath": "WebApplicationFirewallFirewallEvents.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "WebApplicationFirewallGatewayAccessEventsWorkbook",
+ "logoFileName": "waf_logo.svg",
+ "description": "Gain insights into your organization's Azure web application firewall (WAF). You will get visibility in to your application gateway access events. You can view anomalies and trends across received and sent data, client IP addresses, URL addresses and more, and drill down into details.",
+ "dataTypesDependencies": [
+ "AzureDiagnostics"
+ ],
+ "dataConnectorsDependencies": [
+ "WAF"
+ ],
+ "previewImagesFileNames": [
+ "WAFGatewayAccessEventsBlack1.png",
+ "WAFGatewayAccessEventsBlack2.png",
+ "WAFGatewayAccessEventsWhite1.png",
+ "WAFGatewayAccessEventsWhite2.png"
+ ],
+ "version": "1.2.0",
+ "title": "Microsoft Web Application Firewall (WAF) - gateway access events",
+ "templateRelativePath": "WebApplicationFirewallGatewayAccessEvents.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "LinuxMachinesWorkbook",
+ "logoFileName": "azurevirtualmachine_logo.svg",
+ "description": "Gain insights into your workspaces' Linux machines by connecting Microsoft Sentinel and using the logs to gather insights around Linux events and errors.",
+ "dataTypesDependencies": [
+ "Syslog"
+ ],
+ "dataConnectorsDependencies": [
+ "Syslog"
+ ],
+ "previewImagesFileNames": [
+ "LinuxMachinesWhite.png",
+ "LinuxMachinesBlack.png"
+ ],
+ "version": "1.1.0",
+ "title": "Linux machines",
+ "templateRelativePath": "LinuxMachines.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AzureFirewallWorkbook",
+ "logoFileName": "AzFirewalls.svg",
+ "description": "Gain insights into Azure Firewall events. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces.",
+ "dataTypesDependencies": [
+ "AzureDiagnostics"
+ ],
+ "dataConnectorsDependencies": [
+ "AzureFirewall"
+ ],
+ "previewImagesFileNames": [
+ "AzureFirewallWorkbookWhite1.PNG",
+ "AzureFirewallWorkbookBlack1.PNG",
+ "AzureFirewallWorkbookWhite2.PNG",
+ "AzureFirewallWorkbookBlack2.PNG",
+ "AzureFirewallWorkbookWhite3.PNG",
+ "AzureFirewallWorkbookBlack3.PNG",
+ "AzureFirewallWorkbookWhite4.PNG",
+ "AzureFirewallWorkbookBlack4.PNG",
+ "AzureFirewallWorkbookWhite5.PNG",
+ "AzureFirewallWorkbookBlack5.PNG"
+ ],
+ "version": "1.3.0",
+ "title": "Azure Firewall",
+ "templateRelativePath": "AzureFirewallWorkbook.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AzureFirewallWorkbook-StructuredLogs",
+ "logoFileName": "AzFirewalls.svg",
+ "description": "Gain insights into Azure Firewall events using the new Structured Logs for Azure Firewall. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces.",
+ "dataTypesDependencies": [
+ "AZFWNetworkRule",
+ "AZFWApplicationRule",
+ "AZFWDnsQuery",
+ "AZFWThreatIntel"
+ ],
+ "dataConnectorsDependencies": [
+ "AzureFirewall"
+ ],
+ "previewImagesFileNames": [
+ "AzureFirewallWorkbookWhite1.PNG",
+ "AzureFirewallWorkbookBlack1.PNG",
+ "AzureFirewallWorkbookWhite2.PNG",
+ "AzureFirewallWorkbookBlack2.PNG",
+ "AzureFirewallWorkbookWhite3.PNG",
+ "AzureFirewallWorkbookBlack3.PNG",
+ "AzureFirewallWorkbookWhite4.PNG",
+ "AzureFirewallWorkbookBlack4.PNG",
+ "AzureFirewallWorkbookWhite5.PNG",
+ "AzureFirewallWorkbookBlack5.PNG"
+ ],
+ "version": "1.0.0",
+ "title": "Azure Firewall Structured Logs",
+ "templateRelativePath": "AzureFirewallWorkbook-StructuredLogs.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AzureDDoSStandardProtection",
+ "logoFileName": "AzDDoS.svg",
+ "description": "This workbook visualizes security-relevant Azure DDoS events across several filterable panels. Offering a summary tab, metrics and a investigate tabs across multiple workspaces.",
+ "dataTypesDependencies": [
+ "AzureDiagnostics"
+ ],
+ "dataConnectorsDependencies": [
+ "DDOS"
+ ],
+ "previewImagesFileNames": [
+ "AzureDDoSWhite1.PNG",
+ "AzureDDoSBlack1.PNG",
+ "AzureDDoSWhite2.PNG",
+ "AzureDDoSBlack2.PNG",
+ "AzureDDoSWhite2.PNG",
+ "AzureDDoSBlack2.PNG"
+ ],
+ "version": "1.0.2",
+ "title": "Azure DDoS Protection Workbook",
+ "templateRelativePath": "AzDDoSStandardWorkbook.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "MicrosoftCloudAppSecurityWorkbook",
+ "logoFileName": "Microsoft_logo.svg",
+ "description": "Using this workbook, you can identify which cloud apps are being used in your organization, gain insights from usage trends and drill down to a specific user and application.",
+ "dataTypesDependencies": [
+ "McasShadowItReporting"
+ ],
+ "dataConnectorsDependencies": [
+ "MicrosoftCloudAppSecurity"
+ ],
+ "previewImagesFileNames": [
+ "McasDiscoveryBlack.png",
+ "McasDiscoveryWhite.png"
+ ],
+ "version": "1.2.0",
+ "title": "Microsoft Cloud App Security - discovery logs",
+ "templateRelativePath": "MicrosoftCloudAppSecurity.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "F5BIGIPSytemMetricsWorkbook",
+ "logoFileName": "f5_logo.svg",
+ "description": "Gain insight into F5 BIG-IP health and performance. This workbook provides visibility of various metrics including CPU, memory, connectivity, throughput and disk utilization.",
+ "dataTypesDependencies": [
+ "F5Telemetry_system_CL",
+ "F5Telemetry_AVR_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "F5BigIp"
+ ],
+ "previewImagesFileNames": [
+ "F5SMBlack.png",
+ "F5SMWhite.png"
+ ],
+ "version": "1.1.0",
+ "title": "F5 BIG-IP System Metrics",
+ "templateRelativePath": "F5BIGIPSystemMetrics.json",
+ "subtitle": "",
+ "provider": "F5 Networks"
+ },
+ {
+ "workbookKey": "F5NetworksWorkbook",
+ "logoFileName": "f5_logo.svg",
+ "description": "Gain insights into F5 BIG-IP Application Security Manager (ASM), by analyzing traffic and activities.\nThis workbook provides insight into F5's web application firewall events and identifies attack traffic patterns across multiple ASM instances as well as overall BIG-IP health.",
+ "dataTypesDependencies": [
+ "F5Telemetry_LTM_CL",
+ "F5Telemetry_system_CL",
+ "F5Telemetry_ASM_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "F5BigIp"
+ ],
+ "previewImagesFileNames": [
+ "F5White.png",
+ "F5Black.png"
+ ],
+ "version": "1.1.0",
+ "title": "F5 BIG-IP ASM",
+ "templateRelativePath": "F5Networks.json",
+ "subtitle": "",
+ "provider": "F5 Networks"
+ },
+ {
+ "workbookKey": "AzureNetworkWatcherWorkbook",
+ "logoFileName": "networkwatcher_logo.svg",
+ "description": "Gain deeper understanding of your organization's Azure network traffic by analyzing, and correlating Network Security Group flow logs. \nYou can trace malicious traffic flows, and drill down into their protocols, source and destination IP addresses, machines, countries, and subnets. \nThis workbook also helps you protect your network by identifying weak NSG rules.",
+ "dataTypesDependencies": [
+ "AzureNetworkAnalytics_CL"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "AzureNetworkWatcherWhite.png",
+ "AzureNetworkWatcherBlack.png"
+ ],
+ "version": "1.1.0",
+ "title": "Azure Network Watcher",
+ "templateRelativePath": "AzureNetworkWatcher.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "ZscalerFirewallWorkbook",
+ "logoFileName": "zscaler_logo.svg",
+ "description": "Gain insights into your ZIA cloud firewall logs by connecting to Microsoft Sentinel.\nThe Zscaler firewall overview workbook provides an overview and ability to drill down into all cloud firewall activity in your Zscaler instance including non-web related networking events, security events, firewall rules, and bandwidth consumption",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "Zscaler"
+ ],
+ "previewImagesFileNames": [
+ "ZscalerFirewallWhite1.png",
+ "ZscalerFirewallBlack1.png",
+ "ZscalerFirewallWhite2.png",
+ "ZscalerFirewallBlack2.png"
+ ],
+ "version": "1.1.0",
+ "title": "Zscaler Firewall",
+ "templateRelativePath": "ZscalerFirewall.json",
+ "subtitle": "",
+ "provider": "Zscaler"
+ },
+ {
+ "workbookKey": "ZscalerWebOverviewWorkbook",
+ "logoFileName": "zscaler_logo.svg",
+ "description": "Gain insights into your ZIA web logs by connecting to Microsoft Sentinel.\nThe Zscaler web overview workbook provides a bird's eye view and ability to drill down into all the security and networking events related to web transactions, types of devices, and bandwidth consumption.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "Zscaler"
+ ],
+ "previewImagesFileNames": [
+ "ZscalerWebOverviewWhite.png",
+ "ZscalerWebOverviewBlack.png"
+ ],
+ "version": "1.1.0",
+ "title": "Zscaler Web Overview",
+ "templateRelativePath": "ZscalerWebOverview.json",
+ "subtitle": "",
+ "provider": "Zscaler"
+ },
+ {
+ "workbookKey": "ZscalerThreatsOverviewWorkbook",
+ "logoFileName": "zscaler_logo.svg",
+ "description": "Gain insights into threats blocked by Zscaler Internet access on your network.\nThe Zscaler threat overview workbook shows your entire threat landscape including blocked malware, IPS/AV rules, and blocked cloud apps. Threats are displayed by threat categories, filetypes, inbound vs outbound threats, usernames, user location, and more.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "Zscaler"
+ ],
+ "previewImagesFileNames": [
+ "ZscalerThreatsWhite.png",
+ "ZscalerThreatsBlack.png"
+ ],
+ "version": "1.2.0",
+ "title": "Zscaler Threats",
+ "templateRelativePath": "ZscalerThreats.json",
+ "subtitle": "",
+ "provider": "Zscaler"
+ },
+ {
+ "workbookKey": "ZscalerOffice365AppsWorkbook",
+ "logoFileName": "zscaler_logo.svg",
+ "description": "Gain insights into Office 365 use on your network.\nThe Zscaler Office 365 overview workbook shows you the Microsoft apps running on your network and their individual bandwidth consumption. It also helps identify phishing attempts in which attackers disguised themselves as Microsoft services.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "Zscaler"
+ ],
+ "previewImagesFileNames": [
+ "ZscalerOffice365White.png",
+ "ZscalerOffice365Black.png"
+ ],
+ "version": "1.1.0",
+ "title": "Zscaler Office365 Apps",
+ "templateRelativePath": "ZscalerOffice365Apps.json",
+ "subtitle": "",
+ "provider": "Zscaler"
+ },
+ {
+ "workbookKey": "InsecureProtocolsWorkbook",
+ "logoFileName": "Microsoft_logo.svg",
+ "description": "Gain insights into insecure protocol traffic by collecting and analyzing security events from Microsoft products.\nYou can view analytics and quickly identify use of weak authentication as well as sources of legacy protocol traffic, like NTLM and SMBv1.\nYou will also have the ability to monitor use of weak ciphers, allowing you to find weak spots in your organization's security.",
+ "dataTypesDependencies": [
+ "SecurityEvent",
+ "Event",
+ "SigninLogs"
+ ],
+ "dataConnectorsDependencies": [
+ "SecurityEvents",
+ "AzureActiveDirectory",
+ "WindowsSecurityEvents"
+ ],
+ "previewImagesFileNames": [
+ "InsecureProtocolsWhite1.png",
+ "InsecureProtocolsBlack1.png",
+ "InsecureProtocolsWhite2.png",
+ "InsecureProtocolsBlack2.png"
+ ],
+ "version": "2.1.0",
+ "title": "Insecure Protocols",
+ "templateRelativePath": "InsecureProtocols.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AmazonWebServicesNetworkActivitiesWorkbook",
+ "logoFileName": "amazon_web_services_Logo.svg",
+ "description": "Gain insights into AWS network related resource activities, including the creation, update, and deletions of security groups, network ACLs and routes, gateways, elastic load balancers, VPCs, subnets, and network interfaces.",
+ "dataTypesDependencies": [
+ "AWSCloudTrail"
+ ],
+ "dataConnectorsDependencies": [
+ "AWS"
+ ],
+ "previewImagesFileNames": [
+ "AwsNetworkActivitiesWhite.png",
+ "AwsNetworkActivitiesBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "AWS Network Activities",
+ "templateRelativePath": "AmazonWebServicesNetworkActivities.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AmazonWebServicesUserActivitiesWorkbook",
+ "logoFileName": "amazon_web_services_Logo.svg",
+ "description": "Gain insights into AWS user activities, including failed sign-in attempts, IP addresses, regions, user agents, and identity types, as well as potential malicious user activities with assumed roles.",
+ "dataTypesDependencies": [
+ "AWSCloudTrail"
+ ],
+ "dataConnectorsDependencies": [
+ "AWS"
+ ],
+ "previewImagesFileNames": [
+ "AwsUserActivitiesWhite.png",
+ "AwsUserActivitiesBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "AWS User Activities",
+ "templateRelativePath": "AmazonWebServicesUserActivities.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "TrendMicroDeepSecurityAttackActivityWorkbook",
+ "logoFileName": "trendmicro_logo.svg",
+ "description": "Visualize and gain insights into the MITRE ATT&CK related activity detected by Trend Micro Deep Security.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "TrendMicro"
+ ],
+ "previewImagesFileNames": [
+ "TrendMicroDeepSecurityAttackActivityWhite.png",
+ "TrendMicroDeepSecurityAttackActivityBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Trend Micro Deep Security ATT&CK Related Activity",
+ "templateRelativePath": "TrendMicroDeepSecurityAttackActivity.json",
+ "subtitle": "",
+ "provider": "Trend Micro"
+ },
+ {
+ "workbookKey": "TrendMicroDeepSecurityOverviewWorkbook",
+ "logoFileName": "trendmicro_logo.svg",
+ "description": "Gain insights into your Trend Micro Deep Security security event data by visualizing your Deep Security Anti-Malware, Firewall, Integrity Monitoring, Intrusion Prevention, Log Inspection, and Web Reputation event data.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "TrendMicro"
+ ],
+ "previewImagesFileNames": [
+ "TrendMicroDeepSecurityOverviewWhite1.png",
+ "TrendMicroDeepSecurityOverviewBlack1.png",
+ "TrendMicroDeepSecurityOverviewWhite2.png",
+ "TrendMicroDeepSecurityOverviewBlack2.png"
+ ],
+ "version": "1.0.0",
+ "title": "Trend Micro Deep Security Events",
+ "templateRelativePath": "TrendMicroDeepSecurityOverview.json",
+ "subtitle": "",
+ "provider": "Trend Micro"
+ },
+ {
+ "workbookKey": "ExtraHopDetectionSummaryWorkbook",
+ "logoFileName": "extrahop_logo.svg",
+ "description": "Gain insights into ExtraHop Reveal(x) detections by analyzing traffic and activities.\nThis workbook provides an overview of security detections in your organization's network, including high-risk detections and top participants.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "ExtraHopNetworks"
+ ],
+ "previewImagesFileNames": [
+ "ExtrahopWhite.png",
+ "ExtrahopBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "ExtraHop",
+ "templateRelativePath": "ExtraHopDetectionSummary.json",
+ "subtitle": "",
+ "provider": "ExtraHop Networks"
+ },
+ {
+ "workbookKey": "BarracudaCloudFirewallWorkbook",
+ "logoFileName": "barracuda_logo.svg",
+ "description": "Gain insights into your Barracuda CloudGen Firewall by analyzing firewall operations and events.\nThis workbook provides insights into rule enforcement, network activities, including number of connections, top users, and helps you identify applications that are popular on your network.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog",
+ "Syslog"
+ ],
+ "dataConnectorsDependencies": [
+ "BarracudaCloudFirewall"
+ ],
+ "previewImagesFileNames": [
+ "BarracudaWhite1.png",
+ "BarracudaBlack1.png",
+ "BarracudaWhite2.png",
+ "BarracudaBlack2.png"
+ ],
+ "version": "1.0.0",
+ "title": "Barracuda CloudGen FW",
+ "templateRelativePath": "Barracuda.json",
+ "subtitle": "",
+ "provider": "Barracuda"
+ },
+ {
+ "workbookKey": "CitrixWorkbook",
+ "logoFileName": "citrix_logo.svg",
+ "description": "Citrix Analytics for Security aggregates and correlates information across network traffic, users, files and endpoints in Citrix environments. This generates actionable insights that enable Citrix administrators and security teams to remediate user security threats through automation while optimizing IT operations. Machine learning and artificial intelligence empowers Citrix Analytics for Security to identify and take automated action to prevent data exfiltration. While delivered as a cloud service, Citrix Analytics for Security can generate insights from resources located on-premises, in the cloud, or in hybrid architectures. The Citrix Analytics Workbook further enhances the value of both your Citrix Analytics for Security and Microsoft Sentinel. The Workbook enables you to integrate data sources together, helping you gain even richer insights. It also gives Security Operations (SOC) teams the ability to correlate data from disparate logs, helping you identify and proactively remediate security risk quickly. Additionally, valuable dashboards that were unique to the Citrix Analytics for Security can now be implemented in Sentinel. You can also create new custom Workbooks that were not previously available, helping extend the value of both investments.",
+ "dataTypesDependencies": [
+ "CitrixAnalytics_userProfile_CL",
+ "CitrixAnalytics_riskScoreChange_CL",
+ "CitrixAnalytics_indicatorSummary_CL",
+ "CitrixAnalytics_indicatorEventDetails_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "Citrix"
+ ],
+ "previewImagesFileNames": [
+ "CitrixWhite.png",
+ "CitrixBlack.png"
+ ],
+ "version": "2.1.0",
+ "title": "Citrix Analytics",
+ "templateRelativePath": "Citrix.json",
+ "subtitle": "",
+ "provider": "Citrix Systems Inc."
+ },
+ {
+ "workbookKey": "OneIdentityWorkbook",
+ "logoFileName": "oneIdentity_logo.svg",
+ "description": "This simple workbook gives an overview of sessions going through your SafeGuard for Privileged Sessions device.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "OneIdentity"
+ ],
+ "previewImagesFileNames": [
+ "OneIdentityWhite.png",
+ "OneIdentityBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "One Identity",
+ "templateRelativePath": "OneIdentity.json",
+ "subtitle": "",
+ "provider": "One Identity LLC."
+ },
+ {
+ "workbookKey": "SecurityStatusWorkbook",
+ "logoFileName": "",
+ "description": "This workbook gives an overview of Security Settings for VMs and Azure Arc.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog",
+ "SecurityEvent",
+ "Syslog"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "AzureSentinelSecurityStatusBlack.png",
+ "AzureSentinelSecurityStatusWhite.png"
+ ],
+ "version": "1.3.0",
+ "title": "Security Status",
+ "templateRelativePath": "SecurityStatus.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AzureSentinelSecurityAlertsWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Security Alerts dashboard for alerts in your Microsoft Sentinel environment.",
+ "dataTypesDependencies": [
+ "SecurityAlert"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "AzureSentinelSecurityAlertsWhite.png",
+ "AzureSentinelSecurityAlertsBlack.png"
+ ],
+ "version": "1.1.0",
+ "title": "Security Alerts",
+ "templateRelativePath": "AzureSentinelSecurityAlerts.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "SquadraTechnologiesSecRMMWorkbook",
+ "logoFileName": "SquadraTechnologiesLogo.svg",
+ "description": "This workbook gives an overview of security data for removable storage activity such as USB thumb drives and USB connected mobile devices.",
+ "dataTypesDependencies": [
+ "secRMM_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "SquadraTechnologiesSecRmm"
+ ],
+ "previewImagesFileNames": [
+ "SquadraTechnologiesSecRMMWhite.PNG",
+ "SquadraTechnologiesSecRMMBlack.PNG"
+ ],
+ "version": "1.0.0",
+ "title": "Squadra Technologies SecRMM - USB removable storage security",
+ "templateRelativePath": "SquadraTechnologiesSecRMM.json",
+ "subtitle": "",
+ "provider": "Squadra Technologies"
+ },
+ {
+ "workbookKey": "IoT-Alerts",
+ "logoFileName": "IoTIcon.svg",
+ "description": "Gain insights into your IoT data workloads from Azure IoT Hub managed deployments, monitor alerts across all your IoT Hub deployments, detect devices at risk and act upon potential threats.",
+ "dataTypesDependencies": [
+ "SecurityAlert"
+ ],
+ "dataConnectorsDependencies": [
+ "IoT"
+ ],
+ "previewImagesFileNames": [
+ "IOTBlack1.png",
+ "IOTWhite1.png"
+ ],
+ "version": "1.2.0",
+ "title": "Azure Defender for IoT Alerts",
+ "templateRelativePath": "IOT_Alerts.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "IoTAssetDiscovery",
+ "logoFileName": "IoTIcon.svg",
+ "description": "IoT Devices asset discovery from Firewall logs By Azure Defender for IoT",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "Fortinet"
+ ],
+ "previewImagesFileNames": [
+ "workbook-iotassetdiscovery-screenshot-Black.PNG",
+ "workbook-iotassetdiscovery-screenshot-White.PNG"
+ ],
+ "version": "1.0.0",
+ "title": "IoT Asset Discovery",
+ "templateRelativePath": "IoTAssetDiscovery.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "ForcepointCASBWorkbook",
+ "logoFileName": "FP_Green_Emblem_RGB-01.svg",
+ "description": "Get insights on user risk with the Forcepoint CASB (Cloud Access Security Broker) workbook.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "ForcepointCasb"
+ ],
+ "previewImagesFileNames": [
+ "ForcepointCASBWhite.png",
+ "ForcepointCASBBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Forcepoint Cloud Access Security Broker (CASB)",
+ "templateRelativePath": "ForcepointCASB.json",
+ "subtitle": "",
+ "provider": "Forcepoint"
+ },
+ {
+ "workbookKey": "ForcepointNGFWWorkbook",
+ "logoFileName": "FP_Green_Emblem_RGB-01.svg",
+ "description": "Get insights on firewall activities with the Forcepoint NGFW (Next Generation Firewall) workbook.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "ForcepointNgfw"
+ ],
+ "previewImagesFileNames": [
+ "ForcepointNGFWWhite.png",
+ "ForcepointNGFWBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Forcepoint Next Generation Firewall (NGFW)",
+ "templateRelativePath": "ForcepointNGFW.json",
+ "subtitle": "",
+ "provider": "Forcepoint"
+ },
+ {
+ "workbookKey": "ForcepointDLPWorkbook",
+ "logoFileName": "FP_Green_Emblem_RGB-01.svg",
+ "description": "Get insights on DLP incidents with the Forcepoint DLP (Data Loss Prevention) workbook.",
+ "dataTypesDependencies": [
+ "ForcepointDLPEvents_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ForcepointDlp"
+ ],
+ "previewImagesFileNames": [
+ "ForcepointDLPWhite.png",
+ "ForcepointDLPBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Forcepoint Data Loss Prevention (DLP)",
+ "templateRelativePath": "ForcepointDLP.json",
+ "subtitle": "",
+ "provider": "Forcepoint"
+ },
+ {
+ "workbookKey": "ZimperiumMTDWorkbook",
+ "logoFileName": "ZIMPERIUM-logo_square2.svg",
+ "description": "This workbook provides insights on Zimperium Mobile Threat Defense (MTD) threats and mitigations.",
+ "dataTypesDependencies": [
+ "ZimperiumThreatLog_CL",
+ "ZimperiumMitigationLog_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ZimperiumMtdAlerts"
+ ],
+ "previewImagesFileNames": [
+ "ZimperiumWhite.png",
+ "ZimperiumBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Zimperium Mobile Threat Defense (MTD)",
+ "templateRelativePath": "ZimperiumWorkbooks.json",
+ "subtitle": "",
+ "provider": "Zimperium"
+ },
+ {
+ "workbookKey": "AzureAuditActivityAndSigninWorkbook",
+ "logoFileName": "azureactivedirectory_logo.svg",
+ "description": "Gain insights into Azure Active Directory Audit, Activity and Signins with one workbook. This workbook can be used by Security and Azure administrators.",
+ "dataTypesDependencies": [
+ "AzureActivity",
+ "AuditLogs",
+ "SigninLogs"
+ ],
+ "dataConnectorsDependencies": [
+ "AzureActiveDirectory"
+ ],
+ "previewImagesFileNames": [
+ "AzureAuditActivityAndSigninWhite1.png",
+ "AzureAuditActivityAndSigninWhite2.png",
+ "AzureAuditActivityAndSigninBlack1.png",
+ "AzureAuditActivityAndSigninBlack2.png"
+ ],
+ "version": "1.2.0",
+ "title": "Azure AD Audit, Activity and Sign-in logs",
+ "templateRelativePath": "AzureAuditActivityAndSignin.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "WindowsFirewall",
+ "logoFileName": "Microsoft_logo.svg",
+ "description": "Gain insights into Windows Firewall logs in combination with security and Azure signin logs",
+ "dataTypesDependencies": [
+ "WindowsFirewall",
+ "SecurityEvent",
+ "SigninLogs"
+ ],
+ "dataConnectorsDependencies": [
+ "SecurityEvents",
+ "WindowsFirewall",
+ "WindowsSecurityEvents"
+ ],
+ "previewImagesFileNames": [
+ "WindowsFirewallWhite1.png",
+ "WindowsFirewallWhite2.png",
+ "WindowsFirewallBlack1.png",
+ "WindowsFirewallBlack2.png"
+ ],
+ "version": "1.0.0",
+ "title": "Windows Firewall",
+ "templateRelativePath": "WindowsFirewall.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "EventAnalyzerwWorkbook",
+ "logoFileName": "",
+ "description": "The Event Analyzer workbook allows to explore, audit and speed up analysis of Windows Event Logs, including all event details and attributes, such as security, application, system, setup, directory service, DNS and others.",
+ "dataTypesDependencies": [
+ "SecurityEvent"
+ ],
+ "dataConnectorsDependencies": [
+ "SecurityEvents",
+ "WindowsSecurityEvents"
+ ],
+ "previewImagesFileNames": [
+ "EventAnalyzer-Workbook-White.png",
+ "EventAnalyzer-Workbook-Black.png"
+ ],
+ "version": "1.0.0",
+ "title": "Event Analyzer",
+ "templateRelativePath": "EventAnalyzer.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "ASC-ComplianceandProtection",
+ "logoFileName": "",
+ "description": "Gain insight into regulatory compliance, alert trends, security posture, and more with this workbook based on Azure Security Center data.",
+ "dataTypesDependencies": [
+ "SecurityAlert",
+ "ProtectionStatus",
+ "SecurityRecommendation",
+ "SecurityBaseline",
+ "SecurityBaselineSummary",
+ "Update",
+ "ConfigurationChange"
+ ],
+ "dataConnectorsDependencies": [
+ "AzureSecurityCenter"
+ ],
+ "previewImagesFileNames": [
+ "ASCCaPBlack.png",
+ "ASCCaPWhite.png"
+ ],
+ "version": "1.2.0",
+ "title": "ASC Compliance and Protection",
+ "templateRelativePath": "ASC-ComplianceandProtection.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "AIVectraDetectWorkbook",
+ "logoFileName": "AIVectraDetect.svg",
+ "description": "Start investigating network attacks surfaced by Vectra Detect directly from Sentinel. View critical hosts, accounts, campaigns and detections. Also monitor Vectra system health and audit logs.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "AIVectraDetect"
+ ],
+ "previewImagesFileNames": [
+ "AIVectraDetectWhite1.png",
+ "AIVectraDetectBlack1.png"
+ ],
+ "version": "1.1.1",
+ "title": "Vectra AI Detect",
+ "templateRelativePath": "AIVectraDetectWorkbook.json",
+ "subtitle": "",
+ "provider": "Vectra AI"
+ },
+ {
+ "workbookKey": "Perimeter81OverviewWorkbook",
+ "logoFileName": "Perimeter81_Logo.svg",
+ "description": "Gain insights and comprehensive monitoring into your Perimeter 81 account by analyzing activities.",
+ "dataTypesDependencies": [
+ "Perimeter81_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "Perimeter81ActivityLogs"
+ ],
+ "previewImagesFileNames": [
+ "Perimeter81OverviewWhite1.png",
+ "Perimeter81OverviewBlack1.png",
+ "Perimeter81OverviewWhite2.png",
+ "Perimeter81OverviewBlack2.png"
+ ],
+ "version": "1.0.0",
+ "title": "Perimeter 81 Overview",
+ "templateRelativePath": "Perimeter81OverviewWorkbook.json",
+ "subtitle": "",
+ "provider": "Perimeter 81"
+ },
+ {
+ "workbookKey": "SymantecProxySGWorkbook",
+ "logoFileName": "symantec_logo.svg",
+ "description": "Gain insight into Symantec ProxySG by analyzing, collecting and correlating proxy data.\nThis workbook provides visibility into ProxySG Access logs",
+ "dataTypesDependencies": [
+ "Syslog"
+ ],
+ "dataConnectorsDependencies": [
+ "SymantecProxySG"
+ ],
+ "previewImagesFileNames": [
+ "SymantecProxySGWhite.png",
+ "SymantecProxySGBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Symantec ProxySG",
+ "templateRelativePath": "SymantecProxySG.json",
+ "subtitle": "",
+ "provider": "Symantec"
+ },
+ {
+ "workbookKey": "IllusiveASMWorkbook",
+ "logoFileName": "illusive_logo_workbook.svg",
+ "description": "Gain insights into your organization's Cyber Hygiene and Attack Surface risk.\nIllusive ASM automates discovery and clean-up of credential violations, allows drill-down inspection of pathways to critical assets, and provides risk insights that inform intelligent decision-making to reduce attacker mobility.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "illusiveAttackManagementSystem"
+ ],
+ "previewImagesFileNames": [
+ "IllusiveASMWhite.png",
+ "IllusiveASMBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Illusive ASM Dashboard",
+ "templateRelativePath": "IllusiveASM.json",
+ "subtitle": "",
+ "provider": "Illusive"
+ },
+ {
+ "workbookKey": "IllusiveADSWorkbook",
+ "logoFileName": "illusive_logo_workbook.svg",
+ "description": "Gain insights into unauthorized lateral movement in your organization's network.\nIllusive ADS is designed to paralyzes attackers and eradicates in-network threats by creating a hostile environment for the attackers across all the layers of the attack surface.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "illusiveAttackManagementSystem"
+ ],
+ "previewImagesFileNames": [
+ "IllusiveADSWhite.png",
+ "IllusiveADSBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Illusive ADS Dashboard",
+ "templateRelativePath": "IllusiveADS.json",
+ "subtitle": "",
+ "provider": "Illusive"
+ },
+ {
+ "workbookKey": "PulseConnectSecureWorkbook",
+ "logoFileName": "",
+ "description": "Gain insight into Pulse Secure VPN by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into user VPN activities",
+ "dataTypesDependencies": [
+ "Syslog"
+ ],
+ "dataConnectorsDependencies": [
+ "PulseConnectSecure"
+ ],
+ "previewImagesFileNames": [
+ "PulseConnectSecureWhite.png",
+ "PulseConnectSecureBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Pulse Connect Secure",
+ "templateRelativePath": "PulseConnectSecure.json",
+ "subtitle": "",
+ "provider": "Pulse Secure"
+ },
+ {
+ "workbookKey": "InfobloxNIOSWorkbook",
+ "logoFileName": "infoblox_logo.svg",
+ "description": "Gain insight into Infoblox NIOS by analyzing, collecting and correlating DHCP and DNS data.\nThis workbook provides visibility into DHCP and DNS traffic",
+ "dataTypesDependencies": [
+ "Syslog"
+ ],
+ "dataConnectorsDependencies": [
+ "InfobloxNIOS"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.1.0",
+ "title": "Infoblox NIOS",
+ "templateRelativePath": "Infoblox-Workbook-V2.json",
+ "subtitle": "",
+ "provider": "Infoblox"
+ },
+ {
+ "workbookKey": "SymantecVIPWorkbook",
+ "logoFileName": "symantec_logo.svg",
+ "description": "Gain insight into Symantec VIP by analyzing, collecting and correlating strong authentication data.\nThis workbook provides visibility into user authentications",
+ "dataTypesDependencies": [
+ "Syslog"
+ ],
+ "dataConnectorsDependencies": [
+ "SymantecVIP"
+ ],
+ "previewImagesFileNames": [
+ "SymantecVIPWhite.png",
+ "SymantecVIPBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Symantec VIP",
+ "templateRelativePath": "SymantecVIP.json",
+ "subtitle": "",
+ "provider": "Symantec"
+ },
+ {
+ "workbookKey": "ProofPointTAPWorkbook",
+ "logoFileName": "proofpointlogo.svg",
+ "description": "Gain extensive insight into Proofpoint Targeted Attack Protection (TAP) by analyzing, collecting and correlating TAP log events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked",
+ "dataTypesDependencies": [
+ "ProofPointTAPMessagesBlocked_CL",
+ "ProofPointTAPMessagesDelivered_CL",
+ "ProofPointTAPClicksPermitted_CL",
+ "ProofPointTAPClicksBlocked_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ProofpointTAP"
+ ],
+ "previewImagesFileNames": [
+ "ProofpointTAPWhite.png",
+ "ProofpointTAPBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Proofpoint TAP",
+ "templateRelativePath": "ProofpointTAP.json",
+ "subtitle": "",
+ "provider": "Proofpoint"
+ },
+ {
+ "workbookKey": "QualysVMV2Workbook",
+ "logoFileName": "qualys_logo.svg",
+ "description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans",
+ "dataTypesDependencies": [
+ "QualysHostDetectionV2_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "QualysVulnerabilityManagement"
+ ],
+ "previewImagesFileNames": [
+ "QualysVMWhite.png",
+ "QualysVMBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Qualys Vulnerability Management",
+ "templateRelativePath": "QualysVMv2.json",
+ "subtitle": "",
+ "provider": "Qualys"
+ },
+ {
+ "workbookKey": "GitHubSecurityWorkbook",
+ "logoFileName": "GitHub.svg",
+ "description": "Gain insights to GitHub activities that may be interesting for security.",
+ "dataTypesDependencies": [
+ "Github_CL",
+ "GitHubRepoLogs_CL"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "GitHubSecurityWhite.png",
+ "GitHubSecurityBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "GitHub Security",
+ "templateRelativePath": "GitHubSecurityWorkbook.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "VisualizationDemo",
+ "logoFileName": "",
+ "description": "Learn and explore the many ways of displaying information within Microsoft Sentinel workbooks",
+ "dataTypesDependencies": [
+ "SecurityAlert"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "VisualizationDemoBlack.png",
+ "VisualizationDemoWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Visualizations Demo",
+ "templateRelativePath": "VisualizationDemo.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "SophosXGFirewallWorkbook",
+ "logoFileName": "sophos_logo.svg",
+ "description": "Gain insight into Sophos XG Firewall by analyzing, collecting and correlating firewall data.\nThis workbook provides visibility into network traffic",
+ "dataTypesDependencies": [
+ "Syslog"
+ ],
+ "dataConnectorsDependencies": [
+ "SophosXGFirewall"
+ ],
+ "previewImagesFileNames": [
+ "SophosXGFirewallWhite.png",
+ "SophosXGFirewallBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Sophos XG Firewall",
+ "templateRelativePath": "SophosXGFirewall.json",
+ "subtitle": "",
+ "provider": "Sophos"
+ },
+ {
+ "workbookKey": "SysmonThreatHuntingWorkbook",
+ "logoFileName": "",
+ "description": "Simplify your threat hunts using Sysmon data mapped to MITRE ATT&CK data. This workbook gives you the ability to drilldown into system activity based on known ATT&CK techniques as well as other threat hunting entry points such as user activity, network connections or virtual machine Sysmon events.\nPlease note that for this workbook to work you must have deployed Sysmon on your virtual machines in line with the instructions at https://github.com/BlueTeamLabs/sentinel-attack/wiki/Onboarding-sysmon-data-to-Azure-Sentinel",
+ "dataTypesDependencies": [
+ "Event"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "SysmonThreatHuntingWhite1.png",
+ "SysmonThreatHuntingBlack1.png"
+ ],
+ "version": "1.4.0",
+ "title": "Sysmon Threat Hunting",
+ "templateRelativePath": "SysmonThreatHunting.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "WebApplicationFirewallWAFTypeEventsWorkbook",
+ "logoFileName": "webapplicationfirewall(WAF)_logo.svg",
+ "description": "Gain insights into your organization's Azure web application firewall (WAF) across various services such as Azure Front Door Service and Application Gateway. You can view event triggers, full messages, attacks over time, among other data. Several aspects of the workbook are interactable to allow users to further understand their data",
+ "dataTypesDependencies": [
+ "AzureDiagnostics"
+ ],
+ "dataConnectorsDependencies": [
+ "WAF"
+ ],
+ "previewImagesFileNames": [
+ "WAFFirewallWAFTypeEventsBlack1.PNG",
+ "WAFFirewallWAFTypeEventsBlack2.PNG",
+ "WAFFirewallWAFTypeEventsBlack3.PNG",
+ "WAFFirewallWAFTypeEventsBlack4.PNG",
+ "WAFFirewallWAFTypeEventsWhite1.png",
+ "WAFFirewallWAFTypeEventsWhite2.PNG",
+ "WAFFirewallWAFTypeEventsWhite3.PNG",
+ "WAFFirewallWAFTypeEventsWhite4.PNG"
+ ],
+ "version": "1.1.0",
+ "title": "Microsoft Web Application Firewall (WAF) - Azure WAF",
+ "templateRelativePath": "WebApplicationFirewallWAFTypeEvents.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "OrcaAlertsOverviewWorkbook",
+ "logoFileName": "Orca_logo.svg",
+ "description": "A visualized overview of Orca security alerts.\nExplore, analize and learn about your security posture using Orca alerts Overview",
+ "dataTypesDependencies": [
+ "OrcaAlerts_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "OrcaSecurityAlerts"
+ ],
+ "previewImagesFileNames": [
+ "OrcaAlertsWhite.png",
+ "OrcaAlertsBlack.png"
+ ],
+ "version": "1.1.0",
+ "title": "Orca alerts overview",
+ "templateRelativePath": "OrcaAlerts.json",
+ "subtitle": "",
+ "provider": "Orca Security"
+ },
+ {
+ "workbookKey": "CyberArkWorkbook",
+ "logoFileName": "CyberArk_Logo.svg",
+ "description": "The CyberArk Syslog connector allows you to easily connect all your CyberArk security solution logs with your Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. Integration between CyberArk and Microsoft Sentinel makes use of the CEF Data Connector to properly parse and display CyberArk Syslog messages.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "CyberArk"
+ ],
+ "previewImagesFileNames": [
+ "CyberArkActivitiesWhite.PNG",
+ "CyberArkActivitiesBlack.PNG"
+ ],
+ "version": "1.1.0",
+ "title": "CyberArk EPV Events",
+ "templateRelativePath": "CyberArkEPV.json",
+ "subtitle": "",
+ "provider": "CyberArk"
+ },
+ {
+ "workbookKey": "UserEntityBehaviorAnalyticsWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Identify compromised users and insider threats using User and Entity Behavior Analytics. Gain insights into anomalous user behavior from baselines learned from behavior patterns",
+ "dataTypesDependencies": [
+ "BehaviorAnalytics"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "UserEntityBehaviorAnalyticsBlack1.png",
+ "UserEntityBehaviorAnalyticsWhite1.png"
+ ],
+ "version": "1.2.0",
+ "title": "User And Entity Behavior Analytics",
+ "templateRelativePath": "UserEntityBehaviorAnalytics.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "CitrixWAF",
+ "logoFileName": "citrix_logo.svg",
+ "description": "Gain insight into the Citrix WAF logs",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "CitrixWAF"
+ ],
+ "previewImagesFileNames": [
+ "CitrixWAFBlack.png",
+ "CitrixWAFWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Citrix WAF (Web App Firewall)",
+ "templateRelativePath": "CitrixWAF.json",
+ "subtitle": "",
+ "provider": "Citrix Systems Inc."
+ },
+ {
+ "workbookKey": "UnifiSGWorkbook",
+ "logoFileName": "",
+ "description": "Gain insights into Unifi Security Gateways analyzing traffic and activities.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "UnifiSGBlack.png",
+ "UnifiSGWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Unifi Security Gateway",
+ "templateRelativePath": "UnfiSG.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "UnifiSGNetflowWorkbook",
+ "logoFileName": "",
+ "description": "Gain insights into Unifi Security Gateways analyzing traffic and activities using Netflow.",
+ "dataTypesDependencies": [
+ "netflow_CL"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "UnifiSGNetflowBlack.png",
+ "UnifiSGNetflowWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Unifi Security Gateway - NetFlow",
+ "templateRelativePath": "UnfiSGNetflow.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "NormalizedNetworkEventsWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "See insights on multiple networking appliances and other network sessions, that have been parsed or mapped to the normalized networking sessions table. Note this requires enabling parsers for the different products - to learn more, visit https://aka.ms/sentinelnormalizationdocs",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "NormalizedNetworkEventsWhite.png",
+ "NormalizedNetworkEventsBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Normalized network events",
+ "templateRelativePath": "NormalizedNetworkEvents.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "WorkspaceAuditingWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Workspace auditing report\r\nUse this report to understand query runs across your workspace.",
+ "dataTypesDependencies": [
+ "LAQueryLogs"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "WorkspaceAuditingWhite.png",
+ "WorkspaceAuditingBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Workspace audit",
+ "templateRelativePath": "WorkspaceAuditing.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "MITREATTACKWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Workbook to showcase MITRE ATT&CK Coverage for Microsoft Sentinel",
+ "dataTypesDependencies": [
+ "SecurityAlert"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "MITREATTACKWhite1.PNG",
+ "MITREATTACKWhite2.PNG",
+ "MITREATTACKBlack1.PNG",
+ "MITREATTACKBlack2.PNG"
+ ],
+ "version": "1.0.1",
+ "title": "MITRE ATT&CK Workbook",
+ "templateRelativePath": "MITREAttack.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "BETTERMTDWorkbook",
+ "logoFileName": "BETTER_MTD_logo.svg",
+ "description": "Workbook using the BETTER Mobile Threat Defense (MTD) connector, to give insights into your mobile devices, installed application and overall device security posture.",
+ "dataTypesDependencies": [
+ "BetterMTDDeviceLog_CL",
+ "BetterMTDAppLog_CL",
+ "BetterMTDIncidentLog_CL",
+ "BetterMTDNetflowLog_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "BetterMTD"
+ ],
+ "previewImagesFileNames": [
+ "BetterMTDWorkbookPreviewWhite1.png",
+ "BetterMTDWorkbookPreviewWhite2.png",
+ "BetterMTDWorkbookPreviewWhite3.png",
+ "BetterMTDWorkbookPreviewBlack1.png",
+ "BetterMTDWorkbookPreviewBlack2.png",
+ "BetterMTDWorkbookPreviewBlack3.png"
+ ],
+ "version": "1.1.0",
+ "title": "BETTER Mobile Threat Defense (MTD)",
+ "templateRelativePath": "BETTER_MTD_Workbook.json",
+ "subtitle": "",
+ "provider": "BETTER Mobile"
+ },
+ {
+ "workbookKey": "AlsidIoEWorkbook",
+ "logoFileName": "Alsid.svg",
+ "description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Exposures alerts.",
+ "dataTypesDependencies": [
+ "AlsidForADLog_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "AlsidForAD"
+ ],
+ "previewImagesFileNames": [
+ "AlsidIoEBlack1.png",
+ "AlsidIoEBlack2.png",
+ "AlsidIoEBlack3.png",
+ "AlsidIoEWhite1.png",
+ "AlsidIoEWhite2.png",
+ "AlsidIoEWhite3.png"
+ ],
+ "version": "1.0.0",
+ "title": "Alsid for AD | Indicators of Exposure",
+ "templateRelativePath": "AlsidIoE.json",
+ "subtitle": "",
+ "provider": "Alsid"
+ },
+ {
+ "workbookKey": "AlsidIoAWorkbook",
+ "logoFileName": "Alsid.svg",
+ "description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Attack alerts.",
+ "dataTypesDependencies": [
+ "AlsidForADLog_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "AlsidForAD"
+ ],
+ "previewImagesFileNames": [
+ "AlsidIoABlack1.png",
+ "AlsidIoABlack2.png",
+ "AlsidIoABlack3.png",
+ "AlsidIoAWhite1.png",
+ "AlsidIoAWhite2.png",
+ "AlsidIoAWhite3.png"
+ ],
+ "version": "1.0.0",
+ "title": "Alsid for AD | Indicators of Attack",
+ "templateRelativePath": "AlsidIoA.json",
+ "subtitle": "",
+ "provider": "Alsid"
+ },
+ {
+ "workbookKey": "InvestigationInsightsWorkbook",
+ "logoFileName": "Microsoft_logo.svg",
+ "description": "Help analysts gain insight into incident, bookmark and entity data through the Investigation Insights Workbook. This workbook provides common queries and detailed visualizations to help an analyst investigate suspicious activities quickly with an easy to use interface. Analysts can start their investigation from a Microsoft Sentinel incident, bookmark, or by simply entering the entity data into the workbook manually.",
+ "dataTypesDependencies": [
+ "AuditLogs",
+ "AzureActivity",
+ "CommonSecurityLog",
+ "OfficeActivity",
+ "SecurityEvent",
+ "SigninLogs",
+ "ThreatIntelligenceIndicator"
+ ],
+ "dataConnectorsDependencies": [
+ "AzureActivity",
+ "SecurityEvents",
+ "Office365",
+ "AzureActiveDirectory",
+ "ThreatIntelligence",
+ "ThreatIntelligenceTaxii",
+ "WindowsSecurityEvents"
+ ],
+ "previewImagesFileNames": [
+ "InvestigationInsightsWhite1.png",
+ "InvestigationInsightsBlack1.png",
+ "InvestigationInsightsWhite2.png",
+ "InvestigationInsightsBlack2.png"
+ ],
+ "version": "1.4.0",
+ "title": "Investigation Insights",
+ "templateRelativePath": "InvestigationInsights.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "AksSecurityWorkbook",
+ "logoFileName": "Kubernetes_services.svg",
+ "description": "See insights about the security of your AKS clusters. The workbook helps to identify sensitive operations in the clusters and get insights based on Azure Defender alerts.",
+ "dataTypesDependencies": [
+ "SecurityAlert",
+ "AzureDiagnostics"
+ ],
+ "dataConnectorsDependencies": [
+ "AzureSecurityCenter",
+ "AzureKubernetes"
+ ],
+ "previewImagesFileNames": [
+ "AksSecurityWhite.png",
+ "AksSecurityBlack.png"
+ ],
+ "version": "1.5.0",
+ "title": "Azure Kubernetes Service (AKS) Security",
+ "templateRelativePath": "AksSecurity.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AzureKeyVaultWorkbook",
+ "logoFileName": "KeyVault.svg",
+ "description": "See insights about the security of your Azure key vaults. The workbook helps to identify sensitive operations in the key vaults and get insights based on Azure Defender alerts.",
+ "dataTypesDependencies": [
+ "SecurityAlert",
+ "AzureDiagnostics"
+ ],
+ "dataConnectorsDependencies": [
+ "AzureSecurityCenter",
+ "AzureKeyVault"
+ ],
+ "previewImagesFileNames": [
+ "AkvSecurityWhite.png",
+ "AkvSecurityBlack.png"
+ ],
+ "version": "1.1.0",
+ "title": "Azure Key Vault Security",
+ "templateRelativePath": "AzureKeyVaultWorkbook.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "IncidentOverview",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "The Incident Overview workbook is designed to assist in triaging and investigation by providing in-depth information about the incident, including:\r\n* General information\r\n* Entity data\r\n* Triage time (time between incident creation and first response)\r\n* Mitigation time (time between incident creation and closing)\r\n* Comments\r\n\r\nCustomize this workbook by saving and editing it. \r\nYou can reach this workbook template from the incidents panel as well. Once you have customized it, the link from the incident panel will open the customized workbook instead of the template.\r\n",
+ "dataTypesDependencies": [
+ "SecurityAlert",
+ "SecurityIncident"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "IncidentOverviewBlack1.png",
+ "IncidentOverviewWhite1.png",
+ "IncidentOverviewBlack2.png",
+ "IncidentOverviewWhite2.png"
+ ],
+ "version": "2.1.0",
+ "title": "Incident overview",
+ "templateRelativePath": "IncidentOverview.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "SecurityOperationsEfficiency",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Security operations center managers can view overall efficiency metrics and measures regarding the performance of their team. They can find operations by multiple indicators over time including severity, MITRE tactics, mean time to triage, mean time to resolve and more. The SOC manager can develop a picture of the performance in both general and specific areas over time and use it to improve efficiency.",
+ "dataTypesDependencies": [
+ "SecurityAlert",
+ "SecurityIncident"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "SecurityEfficiencyWhite1.png",
+ "SecurityEfficiencyWhite2.png",
+ "SecurityEfficiencyBlack1.png",
+ "SecurityEfficiencyBlack2.png"
+ ],
+ "version": "1.5.0",
+ "title": "Security Operations Efficiency",
+ "templateRelativePath": "SecurityOperationsEfficiency.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "DataCollectionHealthMonitoring",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Gain insights into your workspace's data ingestion status. In this workbook, you can view additional monitors and detect anomalies that will help you determine your workspace\u2019s data collection health.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "HealthMonitoringWhite1.png",
+ "HealthMonitoringWhite2.png",
+ "HealthMonitoringWhite3.png",
+ "HealthMonitoringBlack1.png",
+ "HealthMonitoringBlack2.png",
+ "HealthMonitoringBlack3.png"
+ ],
+ "version": "1.0.0",
+ "title": "Data collection health monitoring",
+ "templateRelativePath": "DataCollectionHealthMonitoring.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "OnapsisAlarmsWorkbook",
+ "logoFileName": "onapsis_logo.svg",
+ "description": "Gain insights into what is going on in your SAP Systems with this overview of the alarms triggered in the Onapsis Platform. Incidents are enriched with context and next steps to help your Security team respond effectively.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "OnapsisPlatform"
+ ],
+ "previewImagesFileNames": [
+ "OnapsisWhite1.PNG",
+ "OnapsisBlack1.PNG",
+ "OnapsisWhite2.PNG",
+ "OnapsisBlack2.PNG"
+ ],
+ "version": "1.0.0",
+ "title": "Onapsis Alarms Overview",
+ "templateRelativePath": "OnapsisAlarmsOverview.json",
+ "subtitle": "",
+ "provider": "Onapsis"
+ },
+ {
+ "workbookKey": "DelineaWorkbook",
+ "logoFileName": "DelineaLogo.svg",
+ "description": "The Delinea Secret Server Syslog connector",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "DelineaSecretServer_CEF"
+ ],
+ "previewImagesFileNames": [
+ "DelineaWorkbookWhite.PNG",
+ "DelineaWorkbookBlack.PNG"
+ ],
+ "version": "1.0.0",
+ "title": "Delinea Secret Server Workbook",
+ "templateRelativePath": "DelineaWorkbook.json",
+ "subtitle": "",
+ "provider": "Delinea"
+ },
+ {
+ "workbookKey": "ForcepointCloudSecurityGatewayWorkbook",
+ "logoFileName": "Forcepoint_new_logo.svg",
+ "description": "Use this report to understand query runs across your workspace.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "ForcepointCSG"
+ ],
+ "previewImagesFileNames": [
+ "ForcepointCloudSecurityGatewayWhite.png",
+ "ForcepointCloudSecurityGatewayBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Forcepoint Cloud Security Gateway Workbook",
+ "templateRelativePath": "ForcepointCloudSecuirtyGatewayworkbook.json",
+ "subtitle": "",
+ "provider": "Forcepoint"
+ },
+ {
+ "workbookKey": "IntsightsIOCWorkbook",
+ "logoFileName": "IntSights_logo.svg",
+ "description": "This Microsoft Sentinel workbook provides an overview of Indicators of Compromise (IOCs) and their correlations allowing users to analyze and visualize indicators based on severity, type, and other parameters.",
+ "dataTypesDependencies": [
+ "ThreatIntelligenceIndicator",
+ "SecurityAlert"
+ ],
+ "dataConnectorsDependencies": [
+ "ThreatIntelligenceTaxii"
+ ],
+ "previewImagesFileNames": [
+ "IntsightsIOCWhite.png",
+ "IntsightsMatchedWhite.png",
+ "IntsightsMatchedBlack.png",
+ "IntsightsIOCBlack.png"
+ ],
+ "version": "2.0.0",
+ "title": "IntSights IOC Workbook",
+ "templateRelativePath": "IntsightsIOCWorkbook.json",
+ "subtitle": "",
+ "provider": "IntSights Cyber Intelligence"
+ },
+ {
+ "workbookKey": "DarktraceSummaryWorkbook",
+ "logoFileName": "Darktrace.svg",
+ "description": "A workbook containing relevant KQL queries to help you visualise the data in model breaches from the Darktrace Connector",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "Darktrace"
+ ],
+ "previewImagesFileNames": [
+ "AIA-DarktraceSummaryWhite.png",
+ "AIA-DarktraceSummaryBlack.png"
+ ],
+ "version": "1.1.0",
+ "title": "AI Analyst Darktrace Model Breach Summary",
+ "templateRelativePath": "AIA-Darktrace.json",
+ "subtitle": "",
+ "provider": "Darktrace"
+ },
+ {
+ "workbookKey": "TrendMicroXDR",
+ "logoFileName": "trendmicro_logo.svg",
+ "description": "Gain insights from Trend Vision One with this overview of the Alerts triggered.",
+ "dataTypesDependencies": [
+ "TrendMicro_XDR_WORKBENCH_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "TrendMicroXDR"
+ ],
+ "previewImagesFileNames": [
+ "TrendMicroXDROverviewWhite.png",
+ "TrendMicroXDROverviewBlack.png"
+ ],
+ "version": "1.3.0",
+ "title": "Trend Vision One Alert Overview",
+ "templateRelativePath": "TrendMicroXDROverview.json",
+ "subtitle": "",
+ "provider": "Trend Micro"
+ },
+ {
+ "workbookKey": "CyberpionOverviewWorkbook",
+ "logoFileName": "cyberpion_logo.svg",
+ "description": "Use Cyberpion's Security Logs and this workbook, to get an overview of your online assets, gain insights into their current state, and find ways to better secure your ecosystem.",
+ "dataTypesDependencies": [
+ "CyberpionActionItems_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "CyberpionSecurityLogs"
+ ],
+ "previewImagesFileNames": [
+ "CyberpionActionItemsBlack.png",
+ "CyberpionActionItemsWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Cyberpion Overview",
+ "templateRelativePath": "CyberpionOverviewWorkbook.json",
+ "subtitle": "",
+ "provider": "Cyberpion"
+ },
+ {
+ "workbookKey": "SolarWindsPostCompromiseHuntingWorkbook",
+ "logoFileName": "MSTIC-Logo.svg",
+ "description": "This hunting workbook is intended to help identify activity related to the Solorigate compromise and subsequent attacks discovered in December 2020",
+ "dataTypesDependencies": [
+ "CommonSecurityLog",
+ "SigninLogs",
+ "AuditLogs",
+ "AADServicePrincipalSignInLogs",
+ "OfficeActivity",
+ "BehaviorAnalytics",
+ "SecurityEvent",
+ "DeviceProcessEvents",
+ "SecurityAlert",
+ "DnsEvents"
+ ],
+ "dataConnectorsDependencies": [
+ "AzureActiveDirectory",
+ "SecurityEvents",
+ "Office365",
+ "MicrosoftThreatProtection",
+ "DNS",
+ "WindowsSecurityEvents"
+ ],
+ "previewImagesFileNames": [
+ "SolarWindsPostCompromiseHuntingWhite.png",
+ "SolarWindsPostCompromiseHuntingBlack.png"
+ ],
+ "version": "1.5.0",
+ "title": "SolarWinds Post Compromise Hunting",
+ "templateRelativePath": "SolarWindsPostCompromiseHunting.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "ProofpointPODWorkbook",
+ "logoFileName": "proofpointlogo.svg",
+ "description": "Gain insights into your Proofpoint on Demand Email Security activities, including maillog and messages data. The Workbook provides users with an executive dashboard showing the reporting capabilities, message traceability and monitoring.",
+ "dataTypesDependencies": [
+ "ProofpointPOD_maillog_CL",
+ "ProofpointPOD_message_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ProofpointPOD"
+ ],
+ "previewImagesFileNames": [
+ "ProofpointPODMainBlack1.png",
+ "ProofpointPODMainBlack2.png",
+ "ProofpointPODMainWhite1.png",
+ "ProofpointPODMainWhite2.png",
+ "ProofpointPODMessageSummaryBlack.png",
+ "ProofpointPODMessageSummaryWhite.png",
+ "ProofpointPODTLSBlack.png",
+ "ProofpointPODTLSWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Proofpoint On-Demand Email Security",
+ "templateRelativePath": "ProofpointPOD.json",
+ "subtitle": "",
+ "provider": "Proofpoint"
+ },
+ {
+ "workbookKey": "CiscoUmbrellaWorkbook",
+ "logoFileName": "cisco_logo.svg",
+ "description": "Gain insights into Cisco Umbrella activities, including the DNS, Proxy and Cloud Firewall data. Workbook shows general information along with threat landscape including categories, blocked destinations and URLs.",
+ "dataTypesDependencies": [
+ "Cisco_Umbrella_dns_CL",
+ "Cisco_Umbrella_proxy_CL",
+ "Cisco_Umbrella_ip_CL",
+ "Cisco_Umbrella_cloudfirewall_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "CiscoUmbrellaDataConnector"
+ ],
+ "previewImagesFileNames": [
+ "CiscoUmbrellaDNSBlack1.png",
+ "CiscoUmbrellaDNSBlack2.png",
+ "CiscoUmbrellaDNSWhite1.png",
+ "CiscoUmbrellaDNSWhite2.png",
+ "CiscoUmbrellaFirewallBlack.png",
+ "CiscoUmbrellaFirewallWhite.png",
+ "CiscoUmbrellaMainBlack1.png",
+ "CiscoUmbrellaMainBlack2.png",
+ "CiscoUmbrellaMainWhite1.png",
+ "CiscoUmbrellaMainWhite2.png",
+ "CiscoUmbrellaProxyBlack1.png",
+ "CiscoUmbrellaProxyBlack2.png",
+ "CiscoUmbrellaProxyWhite1.png",
+ "CiscoUmbrellaProxyWhite2.png"
+ ],
+ "version": "1.0.0",
+ "title": "Cisco Umbrella",
+ "templateRelativePath": "CiscoUmbrella.json",
+ "subtitle": "",
+ "provider": "Cisco"
+ },
+ {
+ "workbookKey": "AnalyticsEfficiencyWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Gain insights into the efficacy of your analytics rules. In this workbook you can analyze and monitor the analytics rules found in your workspace to achieve better performance by your SOC.",
+ "dataTypesDependencies": [
+ "SecurityAlert",
+ "SecurityIncident"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "AnalyticsEfficiencyBlack.png",
+ "AnalyticsEfficiencyWhite.png"
+ ],
+ "version": "1.2.0",
+ "title": "Analytics Efficiency",
+ "templateRelativePath": "AnalyticsEfficiency.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "WorkspaceUsage",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Gain insights into your workspace's usage. In this workbook, you can view your workspace\u2019s data consumption, latency, recommended tasks and Cost and Usage statistics.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "WorkspaceUsageBlack.png",
+ "WorkspaceUsageWhite.png"
+ ],
+ "version": "1.6.0",
+ "title": "Workspace Usage Report",
+ "templateRelativePath": "WorkspaceUsage.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "SentinelCentral",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Use this report to view Incident (and Alert data) across many workspaces, this works with Azure Lighthouse and across any subscription you have access to.",
+ "dataTypesDependencies": [
+ "SecurityIncident"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "SentinelCentralBlack.png",
+ "SentinelCentralWhite.png"
+ ],
+ "version": "2.1.1",
+ "title": "Microsoft Sentinel Central",
+ "templateRelativePath": "SentinelCentral.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "CognniIncidentsWorkbook",
+ "logoFileName": "cognni-logo.svg",
+ "description": "Gain intelligent insights into the risks to your important financial, legal, HR, and governance information. This workbook lets you monitor your at-risk information to determine when and why incidents occurred, as well as who was involved. These incidents are broken into high, medium, and low risk incidents for each information category.",
+ "dataTypesDependencies": [
+ "CognniIncidents_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "CognniSentinelDataConnector"
+ ],
+ "previewImagesFileNames": [
+ "CognniBlack.PNG",
+ "CognniWhite.PNG"
+ ],
+ "version": "1.0.0",
+ "title": "Cognni Important Information Incidents",
+ "templateRelativePath": "CognniIncidentsWorkbook.json",
+ "subtitle": "",
+ "provider": "Cognni"
+ },
+ {
+ "workbookKey": "pfsense",
+ "logoFileName": "pfsense_logo.svg",
+ "description": "Gain insights into pfsense logs from both filterlog and nginx.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "pfsenseBlack.png",
+ "pfsenseWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "pfsense",
+ "templateRelativePath": "pfsense.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "ExchangeCompromiseHunting",
+ "logoFileName": "MSTIC-Logo.svg",
+ "description": "This workbook is intended to help defenders in responding to the Exchange Server vulnerabilities disclosed in March 2021, as well as hunting for potential compromise activity. More details on these vulnearbilities can be found at: https://aka.ms/exchangevulns",
+ "dataTypesDependencies": [
+ "SecurityEvent",
+ "W3CIISLog"
+ ],
+ "dataConnectorsDependencies": [
+ "SecurityEvents",
+ "AzureMonitor(IIS)",
+ "WindowsSecurityEvents"
+ ],
+ "previewImagesFileNames": [
+ "ExchangeBlack.png",
+ "ExchangeWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Exchange Compromise Hunting",
+ "templateRelativePath": "ExchangeCompromiseHunting.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "SOCProcessFramework",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "SOCProcessFrameworkCoverImage1White.png",
+ "SOCProcessFrameworkCoverImage1Black.png",
+ "SOCProcessFrameworkCoverImage2White.png",
+ "SOCProcessFrameworkCoverImage2Black.png"
+ ],
+ "version": "1.1.0",
+ "title": "SOC Process Framework",
+ "templateRelativePath": "SOCProcessFramework.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "Building_a_SOCLargeStaffWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "SOCProcessFrameworkCoverImage1White.png",
+ "SOCProcessFrameworkCoverImage1Black.png",
+ "SOCProcessFrameworkCoverImage2White.png",
+ "SOCProcessFrameworkCoverImage2Black.png"
+ ],
+ "version": "1.1.0",
+ "title": "SOC Large Staff",
+ "templateRelativePath": "Building_a_SOCLargeStaff.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "Building_a_SOCMediumStaffWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "SOCProcessFrameworkCoverImage1White.png",
+ "SOCProcessFrameworkCoverImage1Black.png",
+ "SOCProcessFrameworkCoverImage2White.png",
+ "SOCProcessFrameworkCoverImage2Black.png"
+ ],
+ "version": "1.1.0",
+ "title": "SOC Medium Staff",
+ "templateRelativePath": "Building_a_SOCMediumStaff.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "Building_a_SOCPartTimeStaffWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "SOCProcessFrameworkCoverImage1White.png",
+ "SOCProcessFrameworkCoverImage1Black.png",
+ "SOCProcessFrameworkCoverImage2White.png",
+ "SOCProcessFrameworkCoverImage2Black.png"
+ ],
+ "version": "1.1.0",
+ "title": "SOC Part Time Staff",
+ "templateRelativePath": "Building_a_SOCPartTimeStaff.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "Building_a_SOCSmallStaffWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "SOCProcessFrameworkCoverImage1White.png",
+ "SOCProcessFrameworkCoverImage1Black.png",
+ "SOCProcessFrameworkCoverImage2White.png",
+ "SOCProcessFrameworkCoverImage2Black.png"
+ ],
+ "version": "1.1.0",
+ "title": "SOC Small Staff",
+ "templateRelativePath": "Building_a_SOCSmallStaff.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "SOCIRPlanningWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "SOCProcessFrameworkCoverImage1White.png",
+ "SOCProcessFrameworkCoverImage1Black.png",
+ "SOCProcessFrameworkCoverImage2White.png",
+ "SOCProcessFrameworkCoverImage2Black.png"
+ ],
+ "version": "1.1.0",
+ "title": "SOC IR Planning",
+ "templateRelativePath": "SOCIRPlanning.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "UpdateSOCMaturityScoreWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "SOCProcessFrameworkCoverImage1White.png",
+ "SOCProcessFrameworkCoverImage1Black.png",
+ "SOCProcessFrameworkCoverImage2White.png",
+ "SOCProcessFrameworkCoverImage2Black.png"
+ ],
+ "version": "1.1.0",
+ "title": "Update SOC Maturity Score",
+ "templateRelativePath": "UpdateSOCMaturityScore.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "Microsoft365SecurityPosture",
+ "logoFileName": "M365securityposturelogo.svg",
+ "description": "This workbook presents security posture data collected from Azure Security Center, M365 Defender, Defender for Endpoint, and Microsoft Cloud App Security. This workbook relies on the M365 Security Posture Playbook in order to bring the data in.",
+ "dataTypesDependencies": [
+ "M365SecureScore_CL",
+ "MDfESecureScore_CL",
+ "MDfEExposureScore_CL",
+ "MDfERecommendations_CL",
+ "MDfEVulnerabilitiesList_CL",
+ "McasShadowItReporting"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "M365securitypostureblack.png",
+ "M365securityposturewhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Microsoft 365 Security Posture",
+ "templateRelativePath": "M365SecurityPosture.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "AzureSentinelCost",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "This workbook provides an estimated cost across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer.",
+ "dataTypesDependencies": [
+ "Usage"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "AzureSentinelCostWhite.png",
+ "AzureSentinelCostBlack.png"
+ ],
+ "version": "1.5.1",
+ "title": "Microsoft Sentinel Cost",
+ "templateRelativePath": "AzureSentinelCost.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "ADXvsLA",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "This workbook shows the tables from Microsoft Sentinel which are backed up in ADX. It also provides a comparison between the entries in the Microsoft Sentinel tables and the ADX tables. Lastly some general information about the queries and ingestion on ADX is shown.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "ADXvsLABlack.PNG",
+ "ADXvsLAWhite.PNG"
+ ],
+ "version": "1.0.0",
+ "title": "ADXvsLA",
+ "templateRelativePath": "ADXvsLA.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "ProofPointThreatDashboard",
+ "logoFileName": "",
+ "description": "Provides an overview of email threat activity based on log data provided by ProofPoint",
+ "dataTypesDependencies": [
+ "ProofpointPOD_message_CL",
+ "ProofpointPOD_maillog_CL",
+ "ProofPointTAPClicksBlocked_CL",
+ "ProofPointTAPClicksPermitted_CL",
+ "ProofPointTAPMessagesBlocked_CL",
+ "ProofPointTAPMessagesDelivered_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ProofpointTAP",
+ "ProofpointPOD"
+ ],
+ "previewImagesFileNames": [
+ "ProofPointThreatDashboardBlack1.png",
+ "ProofPointThreatDashboardWhite1.png"
+ ],
+ "version": "1.0.0",
+ "title": "ProofPoint Threat Dashboard",
+ "templateRelativePath": "ProofPointThreatDashboard.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "AMAmigrationTracker",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "See what Azure and Azure Arc servers have Log Analytics agent or Azure Monitor agent installed. Review what DCR (data collection rules) apply to your machines and whether you are collecting logs from those machines into your selected workspaces.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "AMAtrackingWhite1.png",
+ "AMAtrackingWhite2.png",
+ "AMAtrackingWhite3.png",
+ "AMAtrackingBlack1.png",
+ "AMAtrackingBlack2.png",
+ "AMAtrackingBlack3.png"
+ ],
+ "version": "1.1.0",
+ "title": "AMA migration tracker",
+ "templateRelativePath": "AMAmigrationTracker.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "AdvancedKQL",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "This interactive Workbook is designed to improve your KQL proficiency by using a use-case driven approach.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "AdvancedKQLWhite.png",
+ "AdvancedKQLBlack.png"
+ ],
+ "version": "1.3.0",
+ "title": "Advanced KQL for Microsoft Sentinel",
+ "templateRelativePath": "AdvancedKQL.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "DSTIMWorkbook",
+ "logoFileName": "DSTIM.svg",
+ "description": "Identify sensitive data blast radius (i.e., who accessed sensitive data, what kinds of sensitive data, from where and when) in a given data security incident investigation or as part of Threat Hunting. Prioritize your investigation based on insights provided with integrations with Watchlists(VIPUsers, TerminatedEmployees and HighValueAssets), Threat Intelligence feed, UEBA baselines and much more.",
+ "dataTypesDependencies": [
+ "DSMAzureBlobStorageLogs",
+ "DSMDataClassificationLogs",
+ "DSMDataLabelingLogs",
+ "Anomalies",
+ "ThreatIntelligenceIndicator",
+ "AADManagedIdentitySignInLogs",
+ "SecurityAlert",
+ "SigninLogs"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "DSTIMWorkbookBlack.png",
+ "DSTIMWorkbookWhite.png"
+ ],
+ "version": "1.9.0",
+ "title": "Data Security - Sensitive Data Impact Assessment",
+ "templateRelativePath": "DSTIMWorkbook.json",
+ "subtitle": "",
+ "provider": "Microsoft",
+ "featureFlag": "DSTIMWorkbook"
+ },
+ {
+ "workbookKey": "IntrotoKQLWorkbook",
+ "logoFileName": "",
+ "description": "Learn and practice the Kusto Query Language. This workbook introduces and provides 100 to 200 level content for new and existing users looking to learn KQL. This workbook will be updated with content over time.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "IntrotoKQL-black.png",
+ "IntrotoKQL-white.png"
+ ],
+ "version": "1.0.0",
+ "title": "Intro to KQL",
+ "templateRelativePath": "IntrotoKQL.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "Log4jPostCompromiseHuntingWorkbook",
+ "logoFileName": "",
+ "description": "This hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021.",
+ "dataTypesDependencies": [
+ "SecurityNestedRecommendation",
+ "AzureDiagnostics",
+ "OfficeActivity",
+ "W3CIISLog",
+ "AWSCloudTrail",
+ "SigninLogs",
+ "AADNonInteractiveUserSignInLogs",
+ "imWebSessions",
+ "imNetworkSession"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "Log4jPostCompromiseHuntingBlack.png",
+ "Log4jPostCompromiseHuntingWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Log4j Post Compromise Hunting",
+ "templateRelativePath": "Log4jPostCompromiseHunting.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "Log4jImpactAssessmentWorkbook",
+ "logoFileName": "",
+ "description": "This hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021.",
+ "dataTypesDependencies": [
+ "SecurityIncident",
+ "SecurityAlert",
+ "AzureSecurityCenter",
+ "MDfESecureScore_CL",
+ "MDfEExposureScore_CL",
+ "MDfERecommendations_CL",
+ "MDfEVulnerabilitiesList_CL"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Log4j Impact Assessment",
+ "templateRelativePath": "Log4jImpactAssessment.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "UserMap",
+ "logoFileName": "",
+ "description": "This Workbook shows MaliciousIP, User SigninLog Data (this shows user Signin Locations and distance between as well as order visited) and WAF information.",
+ "dataTypesDependencies": [
+ "SigninLogs",
+ "AzureDiagnostics",
+ "WireData",
+ "VMconnection",
+ "CommonSecurityLog",
+ "WindowsFirewall",
+ "W3CIISLog",
+ "DnsEvents"
+ ],
+ "dataConnectorsDependencies": [
+ "AzureActiveDirectory"
+ ],
+ "previewImagesFileNames": [
+ "UserMapBlack.png",
+ "UserMapWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "User Map information",
+ "templateRelativePath": "UserMap.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "AWSS3",
+ "logoFileName": "",
+ "description": ".",
+ "dataTypesDependencies": [
+ "AWSCloudTrail",
+ "AWSGuardDuty",
+ "AWSVPCFlow"
+ ],
+ "dataConnectorsDependencies": [
+ "AWSS3"
+ ],
+ "previewImagesFileNames": [
+ "AWSS3Black.png",
+ "AWSS3White.png",
+ "AWSS3White1.png"
+ ],
+ "version": "1.0.0",
+ "title": "AWS S3 Workbook",
+ "templateRelativePath": "AWSS3.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "LogSourcesAndAnalyticRulesCoverageWorkbook",
+ "logoFileName": "",
+ "description": "This workbook is intended to show how the different tables in a Log Analytics workspace are being used by the different Microsoft Sentinel features, like analytics, hunting queries, playbooks and queries in general.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "LogSourcesAndAnalyticRulesCoverageBlack.png",
+ "LogSourcesAndAnalyticRulesCoverageWhite.png"
+ ],
+ "version": "1.1.0",
+ "title": "Log Sources & Analytic Rules Coverage",
+ "templateRelativePath": "LogSourcesAndAnalyticRulesCoverage.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "CiscoFirepower",
+ "logoFileName": "",
+ "description": "Gain insights into your Cisco Firepower firewalls. This workbook analyzes Cisco Firepower device logs.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "CiscoFirepowerBlack.png",
+ "CiscoFirepowerWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Cisco Firepower",
+ "templateRelativePath": "CiscoFirepower.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "MicrorosftTeams",
+ "logoFileName": "microsoftteams.svg",
+ "description": "This workbook is intended to identify the activities on Microrsoft Teams.",
+ "dataTypesDependencies": [
+ "OfficeActivity"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "MicrosoftTeamsBlack.png",
+ "MicrosoftTeamsWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Microsoft Teams",
+ "templateRelativePath": "MicrosoftTeams.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "ArchivingBasicLogsRetention",
+ "logoFileName": "ArchivingBasicLogsRetention.svg",
+ "description": "This workbooks shows workspace and table retention periods, basic logs, and search & restore tables. It also allows you to update table retention periods, plans, and delete search or restore tables.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "ArchivingBasicLogsRetentionBlack1.png",
+ "ArchivingBasicLogsRetentionWhite1.png"
+ ],
+ "version": "1.1.0",
+ "title": "Archiving, Basic Logs, and Retention",
+ "templateRelativePath": "ArchivingBasicLogsRetention.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "OktaSingleSignOnWorkbook",
+ "logoFileName": "okta_logo.svg",
+ "description": "Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked",
+ "dataTypesDependencies": [
+ "Okta_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "OktaSSO"
+ ],
+ "previewImagesFileNames": [
+ "OktaSingleSignOnWhite.png",
+ "OktaSingleSignOnBlack.png"
+ ],
+ "version": "1.2",
+ "title": "Okta Single Sign-On",
+ "templateRelativePath": "OktaSingleSignOn.json",
+ "subtitle": "",
+ "provider": "Okta"
+ },
+ {
+ "workbookKey": "Dynamics365Workbooks",
+ "logoFileName": "DynamicsLogo.svg",
+ "description": "This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data.",
+ "dataTypesDependencies": [
+ "Dynamics365Activity"
+ ],
+ "dataConnectorsDependencies": [
+ "Dynamics365"
+ ],
+ "previewImagesFileNames": [
+ "Dynamics365WorkbookBlack.png",
+ "Dynamics365WorkbookWhite.png"
+ ],
+ "version": "1.0.3",
+ "title": "Dynamics365Workbooks",
+ "templateRelativePath": "Dynamics365Workbooks.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "CiscoMerakiWorkbook",
+ "logoFileName": "",
+ "description": "Gain insights into the Events from Cisco Meraki Solution and analyzing all the different types of Security Events. This workbook also helps in identifying the Events from affected devices, IPs and the nodes where malware was successfully detected.\nIP data received in Events is correlated with Threat Intelligence to identify if the reported IP address is known bad based on threat intelligence data.",
+ "dataTypesDependencies": [
+ "meraki_CL",
+ "CiscoMerakiNativePoller",
+ "ThreatIntelligenceIndicator"
+ ],
+ "dataConnectorsDependencies": [
+ "CiscoMeraki",
+ "CiscoMerakiNativePolling",
+ "ThreatIntelligence"
+ ],
+ "previewImagesFileNames": [
+ "CiscoMerakiWorkbookWhite.png",
+ "CiscoMerakiWorkbookBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "CiscoMerakiWorkbook",
+ "templateRelativePath": "CiscoMerakiWorkbook.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "SentinelOneWorkbook",
+ "logoFileName": "",
+ "description": "Sets the time name for analysis.",
+ "dataTypesDependencies": [
+ "SentinelOne_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "SentinelOne"
+ ],
+ "previewImagesFileNames": [
+ "SentinelOneBlack.png",
+ "SentinelOneWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "SentinelOneWorkbook",
+ "templateRelativePath": "SentinelOne.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "TrendMicroApexOneWorkbook",
+ "logoFileName": "trendmicro_logo.svg",
+ "description": "Sets the time name for analysis.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "TrendMicroApexOne"
+ ],
+ "previewImagesFileNames": [
+ "TrendMicroApexOneBlack.png",
+ "TrendMicroApexOneWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Trend Micro Apex One",
+ "templateRelativePath": "TrendMicroApexOne.json",
+ "subtitle": "",
+ "provider": "TrendMicro"
+ },
+ {
+ "workbookKey": "ContrastProtect",
+ "logoFileName": "contrastsecurity_logo.svg",
+ "description": "Select the time range for this Overview.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "ContrastProtect"
+ ],
+ "previewImagesFileNames": [
+ "ContrastProtectAllBlack.png",
+ "ContrastProtectAllWhite.png",
+ "ContrastProtectEffectiveBlack.png",
+ "ContrastProtectEffectiveWhite.png",
+ "ContrastProtectSummaryBlack.png",
+ "ContrastProtectSummaryWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Contrast Protect",
+ "templateRelativePath": "ContrastProtect.json",
+ "subtitle": "",
+ "provider": "contrast security"
+ },
+ {
+ "workbookKey": "ArmorbloxOverview",
+ "logoFileName": "armorblox.svg",
+ "description": "INCIDENTS FROM SELECTED TIME RANGE",
+ "dataTypesDependencies": [
+ "Armorblox_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "Armorblox"
+ ],
+ "previewImagesFileNames": [
+ "ArmorbloxOverviewBlack01.png",
+ "ArmorbloxOverviewBlack02.png",
+ "ArmorbloxOverviewWhite01.png",
+ "ArmorbloxOverviewWhite02.png"
+ ],
+ "version": "1.0.0",
+ "title": "Armorblox",
+ "templateRelativePath": "ArmorbloxOverview.json",
+ "subtitle": "",
+ "provider": "Armorblox"
+ },
+ {
+ "workbookKey": "PaloAltoCDL",
+ "logoFileName": "paloalto_logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "PaloAltoCDL"
+ ],
+ "previewImagesFileNames": [
+ "PaloAltoBlack.png",
+ "PaloAltoWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Palo Alto Networks Cortex Data Lake",
+ "templateRelativePath": "PaloAltoCDL.json",
+ "subtitle": "",
+ "provider": "Palo Alto Networks"
+ },
+ {
+ "workbookKey": "VMwareCarbonBlack",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "CarbonBlackEvents_CL",
+ "CarbonBlackAuditLogs_CL",
+ "CarbonBlackNotifications_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "VMwareCarbonBlack"
+ ],
+ "previewImagesFileNames": [
+ "VMwareCarbonBlack.png",
+ "VMwareCarbonWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "VMware Carbon Black Cloud",
+ "templateRelativePath": "VMwareCarbonBlack.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "arista-networks",
+ "logoFileName": "AristaAwakeSecurity.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "AristaAwakeSecurity"
+ ],
+ "previewImagesFileNames": [
+ "AristaAwakeSecurityDevicesBlack.png",
+ "AristaAwakeSecurityDevicesWhite.png",
+ "AristaAwakeSecurityModelsBlack.png",
+ "AristaAwakeSecurityModelsWhite.png",
+ "AristaAwakeSecurityOverviewBlack.png",
+ "AristaAwakeSecurityOverviewWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Arista Awake",
+ "templateRelativePath": "AristaAwakeSecurityWorkbook.json",
+ "subtitle": "",
+ "provider": "Arista Networks"
+ },
+ {
+ "workbookKey": "TomcatWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "Tomcat_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ApacheTomcat"
+ ],
+ "previewImagesFileNames": [
+ "TomcatBlack.png",
+ "TomcatWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "ApacheTomcat",
+ "templateRelativePath": "Tomcat.json",
+ "subtitle": "",
+ "provider": "Apache"
+ },
+ {
+ "workbookKey": "ClarotyWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "Claroty"
+ ],
+ "previewImagesFileNames": [
+ "ClarotyBlack.png",
+ "ClarotyWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Claroty",
+ "templateRelativePath": "ClarotyOverview.json",
+ "subtitle": "",
+ "provider": "Claroty"
+ },
+ {
+ "workbookKey": "ApacheHTTPServerWorkbook",
+ "logoFileName": "apache.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "ApacheHTTPServer_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ApacheHTTPServer"
+ ],
+ "previewImagesFileNames": [
+ "ApacheHTTPServerOverviewBlack01.png",
+ "ApacheHTTPServerOverviewBlack02.png",
+ "ApacheHTTPServerOverviewWhite01.png",
+ "ApacheHTTPServerOverviewWhite02.png"
+ ],
+ "version": "1.0.0",
+ "title": "Apache HTTP Server",
+ "templateRelativePath": "ApacheHTTPServer.json",
+ "subtitle": "",
+ "provider": "Apache Software Foundation"
+ },
+ {
+ "workbookKey": "OCIWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "OCI_Logs_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "OracleCloudInfrastructureLogsConnector"
+ ],
+ "previewImagesFileNames": [
+ "OCIBlack.png",
+ "OCIWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Oracle Cloud Infrastructure",
+ "templateRelativePath": "OracleCloudInfrastructureOCI.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "OracleWeblogicServerWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "OracleWebLogicServer_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "OracleWebLogicServer"
+ ],
+ "previewImagesFileNames": [
+ "OracleWeblogicServerBlack.png",
+ "OracleWeblogicServerWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Oracle WebLogic Server",
+ "templateRelativePath": "OracleWorkbook.json",
+ "subtitle": "",
+ "provider": "Oracle"
+ },
+ {
+ "workbookKey": "BitglassWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "BitglassLogs_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "Bitglass"
+ ],
+ "previewImagesFileNames": [
+ "BitglassBlack.png",
+ "BitglassWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Bitglass",
+ "templateRelativePath": "Bitglass.json",
+ "subtitle": "",
+ "provider": "Bitglass"
+ },
+ {
+ "workbookKey": "NGINXWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "NGINX_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "NGINXHTTPServer"
+ ],
+ "previewImagesFileNames": [
+ "NGINXOverviewBlack01.png",
+ "NGINXOverviewBlack02.png",
+ "NGINXOverviewWhite01.png",
+ "NGINXOverviewWhite02.png"
+ ],
+ "version": "1.0.0",
+ "title": "NGINX HTTP Server",
+ "templateRelativePath": "NGINX.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "vArmourAppContollerWorkbook",
+ "logoFileName": "varmour-logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "vArmourAC"
+ ],
+ "previewImagesFileNames": [
+ "vArmourAppControllerAppBlack.png",
+ "vArmourAppControllerAppBlack-1.png",
+ "vArmourAppControllerAppBlack-2.png",
+ "vArmourAppControllerAppBlack-3.png",
+ "vArmourAppControllerAppBlack-4.png",
+ "vArmourAppControllerAppBlack-5.png",
+ "vArmourAppControllerAppBlack-6.png",
+ "vArmourAppControllerAppBlack-7.png",
+ "vArmourAppControllerAppWhite.png",
+ "vArmourAppControllerAppWhite-1.png",
+ "vArmourAppControllerAppWhite-2.png",
+ "vArmourAppControllerAppWhite-3.png",
+ "vArmourAppControllerAppWhite-4.png",
+ "vArmourAppControllerAppWhite-5.png",
+ "vArmourAppControllerAppWhite-6.png",
+ "vArmourAppControllerAppWhite-7.png"
+ ],
+ "version": "1.0.0",
+ "title": "vArmour Application Controller",
+ "templateRelativePath": "vArmour_AppContoller_Workbook.json",
+ "subtitle": "",
+ "provider": "vArmour"
+ },
+ {
+ "workbookKey": "CorelightWorkbook",
+ "logoFileName": "corelight.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "Corelight_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "Corelight"
+ ],
+ "previewImagesFileNames": [
+ "CorelightConnectionsBlack1.png",
+ "CorelightConnectionsBlack2.png",
+ "CorelightConnectionsWhite1.png",
+ "CorelightConnectionsWhite2.png",
+ "CorelightDNSBlack1.png",
+ "CorelightDNSWhite1.png",
+ "CorelightFileBlack1.png",
+ "CorelightFileBlack2.png",
+ "CorelightFileWhite1.png",
+ "CorelightFileWhite2.png",
+ "CorelightMainBlack1.png",
+ "CorelightMainWhite1.png",
+ "CorelightSoftwareBlack1.png",
+ "CorelightSoftwareWhite1.png"
+ ],
+ "version": "1.0.0",
+ "title": "Corelight",
+ "templateRelativePath": "Corelight.json",
+ "subtitle": "",
+ "provider": "Corelight"
+ },
+ {
+ "workbookKey": "LookoutEvents",
+ "logoFileName": "lookout.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "Lookout_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "LookoutAPI"
+ ],
+ "previewImagesFileNames": [
+ "SampleLookoutWorkBookBlack.png",
+ "SampleLookoutWorkBookWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Lookout",
+ "templateRelativePath": "LookoutEvents.json",
+ "subtitle": "",
+ "provider": "Lookout"
+ },
+ {
+ "workbookKey": "sentinel-MicrosoftPurview",
+ "logoFileName": "MicrosoftPurview.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "AzureDiagnostics"
+ ],
+ "dataConnectorsDependencies": [
+ "MicrosoftAzurePurview"
+ ],
+ "previewImagesFileNames": [
+ ""
+ ],
+ "version": "1.0.0",
+ "title": "Microsoft Purview",
+ "templateRelativePath": "MicrosoftPurview.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "InfobloxCDCB1TDWorkbook",
+ "logoFileName": "infoblox_logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "InfobloxCloudDataConnector"
+ ],
+ "previewImagesFileNames": [
+ "InfobloxCDCB1TDBlack.png",
+ "InfobloxCDCB1TDWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Infoblox Cloud Data Connector",
+ "templateRelativePath": "InfobloxCDCB1TDWorkbook.json",
+ "subtitle": "",
+ "provider": "InfoBlox"
+ },
+ {
+ "workbookKey": "UbiquitiUniFiWorkbook",
+ "logoFileName": "ubiquiti.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "Ubiquiti_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "UbiquitiUnifi"
+ ],
+ "previewImagesFileNames": [
+ "UbiquitiOverviewBlack01.png",
+ "UbiquitiOverviewBlack02.png",
+ "UbiquitiOverviewWhite01.png",
+ "UbiquitiOverviewWhite02.png"
+ ],
+ "version": "1.0.0",
+ "title": "Ubiquiti UniFi",
+ "templateRelativePath": "Ubiquiti.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "VMwareESXiWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "Syslog"
+ ],
+ "dataConnectorsDependencies": [
+ "VMwareESXi"
+ ],
+ "previewImagesFileNames": [
+ "VMWareESXiBlack.png",
+ "VMWareESXiWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "VMware ESXi",
+ "templateRelativePath": "VMWareESXi.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "SnowflakeWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "Snowflake_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "SnowflakeDataConnector"
+ ],
+ "previewImagesFileNames": [
+ "SnowflakeBlack.png",
+ "SnowflakeWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Snowflake",
+ "templateRelativePath": "Snowflake.json",
+ "subtitle": "",
+ "provider": "Snowflake"
+ },
+ {
+ "workbookKey": "LastPassWorkbook",
+ "logoFileName": "LastPass.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "LastPassNativePoller_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "LastPassAPIConnector"
+ ],
+ "previewImagesFileNames": [
+ "LastPassBlack.png",
+ "LastPassWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Lastpass Enterprise Activity Monitoring",
+ "templateRelativePath": "LastPassWorkbook.json",
+ "subtitle": "",
+ "provider": "LastPass"
+ },
+ {
+ "workbookKey": "SecurityBridgeWorkbook",
+ "logoFileName": "SecurityBridgeLogo-Vector-TM_75x75.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "SecurityBridgeLogs"
+ ],
+ "dataConnectorsDependencies": [
+ "SecurityBridgeSAP"
+ ],
+ "previewImagesFileNames": [
+ "SecurityBridgeThreatDetectionWhite.png",
+ "SecurityBridgeThreatDetectionWhite1.png"
+ ],
+ "version": "1.0.0",
+ "title": "SecurityBridge App",
+ "templateRelativePath": "SecurityBridgeThreatDetectionforSAP.json",
+ "subtitle": "",
+ "provider": "SecurityBridge"
+ },
+ {
+ "workbookKey": "PaloAltoPrismaCloudWorkbook",
+ "logoFileName": "paloalto_logo.svg",
+ "description": "Sets the time name for analysis.",
+ "dataTypesDependencies": [
+ "PaloAltoPrismaCloudAlert_CL",
+ "PaloAltoPrismaCloudAudit_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "PaloAltoPrismaCloud"
+ ],
+ "previewImagesFileNames": [
+ "PaloAltoPrismaCloudBlack01.png",
+ "PaloAltoPrismaCloudBlack02.png",
+ "PaloAltoPrismaCloudWhite01.png",
+ "PaloAltoPrismaCloudWhite02.png"
+ ],
+ "version": "1.0.0",
+ "title": "Palo Alto Prisma",
+ "templateRelativePath": "PaloAltoPrismaCloudOverview.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "PingFederateWorkbook",
+ "logoFileName": "PingIdentity.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "PingFederateEvent"
+ ],
+ "dataConnectorsDependencies": [
+ "PingFederate"
+ ],
+ "previewImagesFileNames": [
+ "PingFederateBlack1.png",
+ "PingFederateWhite1.png"
+ ],
+ "version": "1.0.0",
+ "title": "PingFederate",
+ "templateRelativePath": "PingFederate.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "McAfeeePOWorkbook",
+ "logoFileName": "mcafee_logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "McAfeeEPOEvent"
+ ],
+ "dataConnectorsDependencies": [
+ "McAfeeePO"
+ ],
+ "previewImagesFileNames": [
+ "McAfeeePOBlack1.png",
+ "McAfeeePOBlack2.png",
+ "McAfeeePOWhite1.png",
+ "McAfeeePOWhite2.png"
+ ],
+ "version": "1.0.0",
+ "title": "McAfee ePolicy Orchestrator",
+ "templateRelativePath": "McAfeeePOOverview.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "OracleDatabaseAudit",
+ "logoFileName": "oracle_logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "Syslog"
+ ],
+ "dataConnectorsDependencies": [
+ "OracleDatabaseAudit"
+ ],
+ "previewImagesFileNames": [
+ "OracleDatabaseAuditBlack1.png",
+ "OracleDatabaseAuditBlack2.png",
+ "OracleDatabaseAuditWhite1.png",
+ "OracleDatabaseAuditWhite2.png"
+ ],
+ "version": "1.0.0",
+ "title": "Oracle Database Audit",
+ "templateRelativePath": "OracleDatabaseAudit.json",
+ "subtitle": "",
+ "provider": "Oracle"
+ },
+ {
+ "workbookKey": "SenservaProAnalyticsWorkbook",
+ "logoFileName": "SenservaPro_logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "SenservaPro_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "SenservaPro"
+ ],
+ "previewImagesFileNames": [
+ "SenservaProAnalyticsBlack.png",
+ "SenservaProAnalyticsWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "SenservaProAnalytics",
+ "templateRelativePath": "SenservaProAnalyticsWorkbook.json",
+ "subtitle": "",
+ "provider": "Senserva Pro"
+ },
+ {
+ "workbookKey": "SenservaProMultipleWorkspaceWorkbook",
+ "logoFileName": "SenservaPro_logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "SenservaPro_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "SenservaPro"
+ ],
+ "previewImagesFileNames": [
+ "SenservaProMultipleWorkspaceWorkbookBlack.png",
+ "SenservaProMultipleWorkspaceWorkbookWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "SenservaProMultipleWorkspace",
+ "templateRelativePath": "SenservaProMultipleWorkspaceWorkbook.json",
+ "subtitle": "",
+ "provider": "Senserva Pro"
+ },
+ {
+ "workbookKey": "SenservaProSecureScoreMultiTenantWorkbook",
+ "logoFileName": "SenservaPro_logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "SenservaPro_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "SenservaPro"
+ ],
+ "previewImagesFileNames": [
+ "SenservaProSecureScoreMultiTenantBlack.png",
+ "SenservaProSecureScoreMultiTenantWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "SenservaProSecureScoreMultiTenant",
+ "templateRelativePath": "SenservaProSecureScoreMultiTenantWorkbook.json",
+ "subtitle": "",
+ "provider": "Senserva Pro"
+ },
+ {
+ "workbookKey": "CiscoSecureEndpointOverviewWorkbook",
+ "logoFileName": "cisco-logo-72px.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "CiscoSecureEndpoint"
+ ],
+ "dataConnectorsDependencies": [
+ "CiscoSecureEndpoint"
+ ],
+ "previewImagesFileNames": [
+ "CiscoSecureEndpointBlack.png",
+ "CiscoSecureEndpointWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Cisco Secure Endpoint",
+ "templateRelativePath": "Cisco Secure Endpoint Overview.json",
+ "subtitle": "",
+ "provider": "Cisco"
+ },
+ {
+ "workbookKey": "InfoSecGlobalWorkbook",
+ "logoFileName": "infosecglobal.svg",
+ "description": "Sets the time name for analysis.",
+ "dataTypesDependencies": [
+ "InfoSecAnalytics_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "InfoSecDataConnector"
+ ],
+ "previewImagesFileNames": [
+ "InfoSecGlobalWorkbookBlack.png",
+ "InfoSecGlobalWorkbookWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "AgileSec Analytics Connector",
+ "templateRelativePath": "InfoSecGlobal.json",
+ "subtitle": "",
+ "provider": "InfoSecGlobal"
+ },
+ {
+ "workbookKey": "CrowdStrikeFalconEndpointProtectionWorkbook",
+ "logoFileName": "crowdstrike.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "CrowdstrikeReplicatorLogs_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "CrowdstrikeReplicator"
+ ],
+ "previewImagesFileNames": [
+ "CrowdStrikeFalconEndpointProtectionBlack.png",
+ "CrowdStrikeFalconEndpointProtectionWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "CrowdStrike Falcon Endpoint Protection",
+ "templateRelativePath": "CrowdStrikeFalconEndpointProtection.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "IronDefenseAlertDashboard",
+ "logoFileName": "IronNet.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "IronNetIronDefense"
+ ],
+ "previewImagesFileNames": [
+ "IronDefenseDashboardBlack.png",
+ "IronDefenseDashboardWhit.png"
+ ],
+ "version": "1.0.0",
+ "title": "IronDefenseAlertDashboard",
+ "templateRelativePath": "IronDefenseAlertDashboard.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "IronDefenseAlertDetails",
+ "logoFileName": "IronNet.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "IronNetIronDefense"
+ ],
+ "previewImagesFileNames": [
+ "IronDefenseAlertsBlack.png",
+ "IronDefenseAlertsWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "IronDefenseAlertDetails",
+ "templateRelativePath": "IronDefenseAlertDetails.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "CiscoSEGWorkbook",
+ "logoFileName": "cisco-logo-72px.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "CiscoSEG"
+ ],
+ "previewImagesFileNames": [
+ "CiscoSEGBlack.png",
+ "CiscoSEGWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Cisco Secure Email Gateway",
+ "templateRelativePath": "CiscoSEG.json",
+ "subtitle": "",
+ "provider": "Cisco"
+ },
+ {
+ "workbookKey": "EatonForeseerHealthAndAccess",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "This workbook gives an insight into the health of all the Windows VMs in this subscription running Eaton Foreseer and the unauthorized access into the Eaton Foreseer application running on these VMs.",
+ "dataTypesDependencies": [
+ "SecurityEvent"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "EatonForeseerHealthAndAccessBlack.png",
+ "EatonForeseerHealthAndAccessWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "EatonForeseerHealthAndAccess",
+ "templateRelativePath": "EatonForeseerHealthAndAccess.json",
+ "subtitle": "",
+ "provider": "Eaton"
+ },
+ {
+ "workbookKey": "PCIDSSComplianceWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Choose your subscription and workspace in which PCI assets are deployed",
+ "dataTypesDependencies": [
+ "AzureDaignostics",
+ "SecurityEvent",
+ "SecurityAlert",
+ "OracleDatabaseAuditEvent",
+ "Syslog",
+ "Anomalies"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "PCIDSSComplianceBlack01.PNG",
+ "PCIDSSComplianceBlack02.PNG",
+ "PCIDSSComplianceWhite01.PNG",
+ "PCIDSSComplianceWhite02.PNG"
+ ],
+ "version": "1.0.0",
+ "title": "PCI DSS Compliance",
+ "templateRelativePath": "PCIDSSCompliance.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "SonraiSecurityWorkbook",
+ "logoFileName": "Sonrai.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "Sonrai_Tickets_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "SonraiDataConnector"
+ ],
+ "previewImagesFileNames": [
+ "SonraiWorkbookBlack.png",
+ "SonraiWorkbookWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Sonrai",
+ "templateRelativePath": "Sonrai.json",
+ "subtitle": "",
+ "provider": "Sonrai"
+ },
+ {
+ "workbookKey": "SemperisDSPWorkbook",
+ "logoFileName": "Semperis.svg",
+ "description": "Specify the time range on which to query the data",
+ "dataTypesDependencies": [
+ "dsp_parser"
+ ],
+ "dataConnectorsDependencies": [
+ "SemperisDSP"
+ ],
+ "previewImagesFileNames": [
+ "SemperisDSPOverview1Black.png",
+ "SemperisDSPOverview1White.png",
+ "SemperisDSPOverview2Black.png",
+ "SemperisDSPOverview2White.png",
+ "SemperisDSPOverview3Black.png",
+ "SemperisDSPOverview3White.png"
+ ],
+ "version": "1.0.0",
+ "title": "Semperis Directory Services Protector",
+ "templateRelativePath": "SemperisDSPWorkbook.json",
+ "subtitle": "",
+ "provider": "Semperis"
+ },
+ {
+ "workbookKey": "BoxWorkbook",
+ "logoFileName": "box.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "BoxEvents_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "BoxDataConnector"
+ ],
+ "previewImagesFileNames": [
+ "BoxBlack1.png",
+ "BoxWhite1.png",
+ "BoxBlack2.png",
+ "BoxWhite2.png"
+ ],
+ "version": "1.0.0",
+ "title": "Box",
+ "templateRelativePath": "Box.json",
+ "subtitle": "",
+ "provider": "Box"
+ },
+ {
+ "workbookKey": "SymantecEndpointProtection",
+ "logoFileName": "symantec_logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "SymantecEndpointProtection"
+ ],
+ "dataConnectorsDependencies": [
+ "SymantecEndpointProtection"
+ ],
+ "previewImagesFileNames": [
+ "SymantecEndpointProtectionBlack.png",
+ "SymantecEndpointProtectionWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Symantec Endpoint Protection",
+ "templateRelativePath": "SymantecEndpointProtection.json",
+ "subtitle": "",
+ "provider": "Symantec"
+ },
+ {
+ "workbookKey": "DynamicThreatModeling&Response",
+ "logoFileName": "",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "SecurityAlert"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "ThreatAnalysis&ResponseWhite1.png",
+ "ThreatAnalysis&ResponseWhite2.png"
+ ],
+ "version": "1.0.0",
+ "title": "Dynamic Threat Modeling Response",
+ "templateRelativePath": "DynamicThreatModeling&Response.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "ThreatAnalysis&Response",
+ "logoFileName": "",
+ "description": "The Defenders for IoT workbook provide guided investigations for OT entities based on open incidents, alert notifications, and activities for OT assets. They also provide a hunting experience across the MITRE ATT&CK® framework for ICS, and are designed to enable analysts, security engineers, and MSSPs to gain situational awareness of OT security posture.",
+ "dataTypesDependencies": [
+ "SecurityAlert"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "ThreatAnalysis&ResponseWhite.png"
+ ],
+ "version": "1.0.1",
+ "title": "Threat Analysis Response",
+ "templateRelativePath": "ThreatAnalysis&Response.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "TrendMicroCAS",
+ "logoFileName": "Trend_Micro_Logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "TrendMicroCAS_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "TrendMicroCAS"
+ ],
+ "previewImagesFileNames": [
+ "TrendMicroCASBlack.png",
+ "TrendMicroCASWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "TrendMicroCAS",
+ "templateRelativePath": "TrendMicroCAS.json",
+ "subtitle": "",
+ "provider": "TrendMicro"
+ },
+ {
+ "workbookKey": "GitHubSecurityWorkbook",
+ "logoFileName": "GitHub.svg",
+ "description": "Gain insights to GitHub activities that may be interesting for security.",
+ "dataTypesDependencies": [
+ "GitHubAuditLogPolling_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "GitHubEcAuditLogPolling"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "GithubWorkbook",
+ "templateRelativePath": "GitHubWorkbook.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "GCPDNSWorkbook",
+ "logoFileName": "google_logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "GCPCloudDNS"
+ ],
+ "dataConnectorsDependencies": [
+ "GCPDNSDataConnector"
+ ],
+ "previewImagesFileNames": [
+ "GCPDNSBlack.png",
+ "GCPDNSWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Google Cloud Platform DNS",
+ "templateRelativePath": "GCPDNS.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AtlassianJiraAuditWorkbook",
+ "logoFileName": "",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "AtlassianJiraNativePoller_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "AtlassianJira"
+ ],
+ "previewImagesFileNames": [
+ "AtlassianJiraAuditWhite.png",
+ "AtlassianJiraAuditBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "AtlassianJiraAudit",
+ "templateRelativePath": "AtlassianJiraAudit.json",
+ "subtitle": "",
+ "provider": "Atlassian"
+ },
+ {
+ "workbookKey": "DigitalGuardianWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "DigitalGuardianDLPEvent"
+ ],
+ "dataConnectorsDependencies": [
+ "DigitalGuardianDLP"
+ ],
+ "previewImagesFileNames": [
+ "DigitalGuardianBlack.png",
+ "DigitalGuardianWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "DigitalGuardianDLP",
+ "templateRelativePath": "DigitalGuardian.json",
+ "subtitle": "",
+ "provider": "Digital Guardian"
+ },
+ {
+ "workbookKey": "CiscoDuoWorkbook",
+ "logoFileName": "cisco-logo-72px.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "CiscoDuo_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "CiscoDuoSecurity"
+ ],
+ "previewImagesFileNames": [
+ "CiscoDuoWhite.png",
+ "CiscoDuoBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "CiscoDuoSecurity",
+ "templateRelativePath": "CiscoDuo.json",
+ "subtitle": "",
+ "provider": "Cisco"
+ },
+ {
+ "workbookKey": "SlackAudit",
+ "logoFileName": "slacklogo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "SlackAudit_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "SlackAuditAPI"
+ ],
+ "previewImagesFileNames": [
+ "SlackAuditApplicationActivityBlack1.png",
+ "SlackAuditApplicationActivityWhite1.png"
+ ],
+ "version": "1.0.0",
+ "title": "SlackAudit",
+ "templateRelativePath": "SlackAudit.json",
+ "subtitle": "",
+ "provider": "Slack"
+ },
+ {
+ "workbookKey": "CiscoWSAWorkbook",
+ "logoFileName": "cisco-logo-72px.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "Syslog"
+ ],
+ "dataConnectorsDependencies": [
+ "CiscoWSA"
+ ],
+ "previewImagesFileNames": [
+ "CiscoWSAWhite.png",
+ "CiscoWSABlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "CiscoWSA",
+ "templateRelativePath": "CiscoWSA.json",
+ "subtitle": "",
+ "provider": "Cisco"
+ },
+ {
+ "workbookKey": "GCP-IAM-Workbook",
+ "logoFileName": "google_logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "GCP_IAM_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "GCPIAMDataConnector"
+ ],
+ "previewImagesFileNames": [
+ "GCPIAMBlack01.png",
+ "GCPIAMBlack02.png",
+ "GCPIAMWhite01.png",
+ "GCPIAMWhite02.png"
+ ],
+ "version": "1.0.0",
+ "title": "Google Cloud Platform IAM",
+ "templateRelativePath": "GCP_IAM.json",
+ "subtitle": "",
+ "provider": "Google"
+ },
+ {
+ "workbookKey": "ImpervaWAFCloudWorkbook",
+ "logoFileName": "Imperva_DarkGrey_final_75x75.svg",
+ "description": "Sets the time name for analysis.",
+ "dataTypesDependencies": [
+ "ImpervaWAFCloud_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ImpervaWAFCloudAPI"
+ ],
+ "previewImagesFileNames": [
+ "ImpervaWAFCloudBlack01.png",
+ "ImpervaWAFCloudBlack02.png",
+ "ImpervaWAFCloudWhite01.png",
+ "ImpervaWAFCloudWhite02.png"
+ ],
+ "version": "1.0.0",
+ "title": "Imperva WAF Cloud Overview",
+ "templateRelativePath": "Imperva WAF Cloud Overview.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "ZscalerZPAWorkbook",
+ "logoFileName": "ZscalerLogo.svg",
+ "description": "Select the time range for this Overview.",
+ "dataTypesDependencies": [
+ "ZPA_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ZscalerPrivateAccess"
+ ],
+ "previewImagesFileNames": [
+ "ZscalerZPABlack.png",
+ "ZscalerZPAWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Zscaler Private Access (ZPA)",
+ "templateRelativePath": "ZscalerZPA.json",
+ "subtitle": "",
+ "provider": "Zscaler"
+ },
+ {
+ "workbookKey": "GoogleWorkspaceWorkbook",
+ "logoFileName": "google_logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "GWorkspace_ReportsAPI_admin_CL",
+ "GWorkspace_ReportsAPI_calendar_CL",
+ "GWorkspace_ReportsAPI_drive_CL",
+ "GWorkspace_ReportsAPI_login_CL",
+ "GWorkspace_ReportsAPI_login_CL",
+ "GWorkspace_ReportsAPI_mobile_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "GoogleWorkspaceReportsAPI"
+ ],
+ "previewImagesFileNames": [
+ "GoogleWorkspaceBlack.png",
+ "GoogleWorkspaceWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "GoogleWorkspaceReports",
+ "templateRelativePath": "GoogleWorkspace.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "NCProtectWorkbook",
+ "logoFileName": "NCProtectIcon.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "NCProtectUAL_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "NucleusCyberNCProtect"
+ ],
+ "previewImagesFileNames": [
+ "",
+ ""
+ ],
+ "version": "1.0.0",
+ "title": "NucleusCyberProtect",
+ "templateRelativePath": "NucleusCyber_NCProtect_Workbook.json",
+ "subtitle": "",
+ "provider": "archTIS"
+ },
+ {
+ "workbookKey": "CiscoISEWorkbook",
+ "logoFileName": "cisco-logo-72px.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "Syslog"
+ ],
+ "dataConnectorsDependencies": [
+ "CiscoISE"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Cisco ISE",
+ "templateRelativePath": "CiscoISE.json",
+ "subtitle": "",
+ "provider": "Cisco"
+ },
+ {
+ "workbookKey": "IoTOTThreatMonitoringwithDefenderforIoTWorkbook",
+ "logoFileName": "",
+ "description": "The OT Threat Monitoring with Defender for IoT Workbook features OT filtering for Security Alerts, Incidents, Vulnerabilities and Asset Inventory. The workbook features a dynamic assessment of the MITRE ATT&CK for ICS matrix across your environment to analyze and respond to OT-based threats. This workbook is designed to enable SecOps Analysts, Security Engineers, and MSSPs to gain situational awareness for IT/OT security posture.",
+ "dataTypesDependencies": [
+ "SecurityAlert",
+ "SecurityIncident"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Microsoft Defender for IoT",
+ "templateRelativePath": "IoTOTThreatMonitoringwithDefenderforIoT.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "ZeroTrust(TIC3.0)Workbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "SecurityRecommendation"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "ZeroTrust(TIC3.0)Black1.PNG",
+ "ZeroTrust(TIC3.0)White1.PNG"
+ ],
+ "version": "1.0.0",
+ "title": "ZeroTrust(TIC3.0)",
+ "templateRelativePath": "ZeroTrustTIC3.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "CybersecurityMaturityModelCertification(CMMC)2.0Workbook",
+ "logoFileName": "",
+ "description": "Sets the time name for analysis.",
+ "dataTypesDependencies": [
+ "InformationProtectionLogs_CL",
+ "AuditLogs",
+ "SecurityIncident",
+ "SigninLogs",
+ "AzureActivity"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "CybersecurityMaturityModelCertification(CMMC)2.0",
+ "templateRelativePath": "CybersecurityMaturityModelCertification_CMMCV2.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "NISTSP80053Workbook",
+ "logoFileName": "",
+ "description": "Sets the time name for analysis.",
+ "dataTypesDependencies": [
+ "SigninLogs",
+ "AuditLogs",
+ "AzureActivity",
+ "OfficeActivity",
+ "SecurityEvents",
+ "CommonSecurityLog",
+ "SecurityIncident",
+ "SecurityRecommendation"
+ ],
+ "dataConnectorsDependencies": [
+ "SecurityEvents"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "NISTSP80053workbook",
+ "templateRelativePath": "NISTSP80053.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "DarktraceWorkbook",
+ "logoFileName": "Darktrace.svg",
+ "description": "The Darktrace Workbook visualises Model Breach and AI Analyst data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email.",
+ "dataTypesDependencies": [
+ "darktrace_model_alerts_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "DarktraceRESTConnector"
+ ],
+ "previewImagesFileNames": [
+ "DarktraceWorkbookBlack01.png",
+ "DarktraceWorkbookBlack02.png",
+ "DarktraceWorkbookWhite01.png",
+ "DarktraceWorkbookWhite02.png"
+ ],
+ "version": "1.0.1",
+ "title": "Darktrace",
+ "templateRelativePath": "DarktraceWorkbook.json",
+ "subtitle": "",
+ "provider": "Darktrace"
+ },
+ {
+ "workbookKey": "RecordedFutureDomainC2DNSWorkbook",
+ "logoFileName": "RecordedFuture.svg",
+ "description": "Sets the time name for DNS Events and Threat Intelligence Time Range",
+ "dataTypesDependencies": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting",
+ "templateRelativePath": "Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting.json",
+ "subtitle": "",
+ "provider": "Recorded Future"
+ },
+ {
+ "workbookKey": "RecordedFutureIPActiveC2Workbook",
+ "logoFileName": "RecordedFuture.svg",
+ "description": "Sets the time name for DNS Events and Threat Intelligence Time Range",
+ "dataTypesDependencies": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting",
+ "templateRelativePath": "Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting.json",
+ "subtitle": "",
+ "provider": "Recorded Future"
+ },
+ {
+ "workbookKey": "MaturityModelForEventLogManagement_M2131",
+ "logoFileName": "contrastsecurity_logo.svg",
+ "description": "Select the time range for this Overview.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "MaturityModelForEventLogManagement_M2131Black.png"
+ ],
+ "version": "1.0.0",
+ "title": "MaturityModelForEventLogManagementM2131",
+ "templateRelativePath": "MaturityModelForEventLogManagement_M2131.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AzureSQLSecurityWorkbook",
+ "logoFileName": "AzureSQL.svg",
+ "description": "Sets the time window in days to search around the alert",
+ "dataTypesDependencies": [
+ "AzureDiagnostics",
+ "SecurityAlert",
+ "SecurityIncident"
+ ],
+ "dataConnectorsDependencies": [
+ "AzureSql"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Azure SQL Database Workbook",
+ "templateRelativePath": "Workbook-AzureSQLSecurity.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "ContinuousDiagnostics&Mitigation",
+ "logoFileName": "",
+ "description": "Select the time range for this Overview.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "ContinuousDiagnostics&MitigationBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "ContinuousDiagnostics&Mitigation",
+ "templateRelativePath": "ContinuousDiagnostics&Mitigation.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "UserWorkbook-alexdemichieli-github-update-1",
+ "logoFileName": "GitHub.svg",
+ "description": "Repository selector.",
+ "dataTypesDependencies": [
+ "githubscanaudit_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "GitHubWebhook"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "GithubWorkbook-update-to-workbook-1",
+ "templateRelativePath": "update-to-workbook-1.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AtlasianJiraAuditWorkbook",
+ "logoFileName": "",
+ "description": "Select the time range for this Overview.",
+ "dataTypesDependencies": [
+ "AtlassianJiraNativePoller_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "AtlassianJira"
+ ],
+ "previewImagesFileNames": [
+ "AtlassianJiraAuditBlack.png",
+ "AtlassianJiraAuditWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "AtlasianJiraAuditWorkbook",
+ "templateRelativePath": "AtlasianJiraAuditWorkbook.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AzureSecurityBenchmark",
+ "logoFileName": "",
+ "description": "Azure Security Benchmark v3 Workbook provides a mechanism for viewing log queries, azure resource graph, and policies aligned to ASB controls across Microsoft security offerings, Azure, Microsoft 365, 3rd Party, On-Premises, and Multi-cloud workloads. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective ASB requirements and practices.",
+ "dataTypesDependencies": [
+ "SecurityRegulatoryCompliance",
+ "AzureDiagnostics",
+ "SecurityIncident",
+ "SigninLogs",
+ "SecurityAlert"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "AzureSecurityBenchmark1.png",
+ "AzureSecurityBenchmark2.png",
+ "AzureSecurityBenchmark3.png"
+ ],
+ "version": "1.0.0",
+ "title": "Azure Security Benchmark",
+ "templateRelativePath": "AzureSecurityBenchmark.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "ZNAccessOchestratorAudit",
+ "logoFileName": "",
+ "description": "This workbook provides a summary of ZeroNetworks data.",
+ "dataTypesDependencies": [
+ "ZNAccessOrchestratorAudit_CL",
+ "ZNAccessOrchestratorAuditNativePoller_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ZeroNetworksAccessOrchestratorAuditFunction",
+ "ZeroNetworksAccessOrchestratorAuditNativePoller"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Zero NetWork",
+ "templateRelativePath": "ZNSegmentAudit.json",
+ "subtitle": "",
+ "provider": "Zero Networks"
+ },
+ {
+ "workbookKey": "FireworkWorkbook",
+ "logoFileName": "FlareSystems.svg",
+ "description": "Select the time range for this Overview.",
+ "dataTypesDependencies": [
+ "Firework_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "FlareSystemsFirework"
+ ],
+ "previewImagesFileNames": [
+ "FireworkOverviewBlack01.png",
+ "FireworkOverviewBlack02.png",
+ "FireworkOverviewWhite01.png",
+ "FireworkOverviewWhite02.png"
+ ],
+ "version": "1.0.0",
+ "title": "FlareSystemsFirework",
+ "templateRelativePath": "FlareSystemsFireworkOverview.json",
+ "subtitle": "",
+ "provider": "Flare Systems"
+ },
+ {
+ "workbookKey": "UserWorkbook-alexdemichieli-github-update-1",
+ "logoFileName": "GitHub.svg",
+ "description": "Gain insights to GitHub activities that may be interesting for security.",
+ "dataTypesDependencies": [
+ "GitHubAuditLogPolling_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "GitHubEcAuditLogPolling"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "GitHub Security",
+ "templateRelativePath": "GitHubAdvancedSecurity.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "TaniumWorkbook",
+ "logoFileName": "Tanium.svg",
+ "description": "Visualize Tanium endpoint and module data",
+ "dataTypesDependencies": [
+ "TaniumComplyCompliance_CL",
+ "TaniumComplyVulnerabilities_CL",
+ "TaniumDefenderHealth_CL",
+ "TaniumDiscoverUnmanagedAssets_CL",
+ "TaniumHighUptime_CL",
+ "TaniumMainAsset_CL",
+ "TaniumPatchListApplicability_CL",
+ "TaniumPatchListCompliance_CL",
+ "TaniumSCCMClientHealth_CL",
+ "TaniumThreatResponse_CL"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "TaniumComplyDark.png",
+ "TaniumComplyLight.png",
+ "TaniumDiscoverDark.png",
+ "TaniumDiscoverLight.png",
+ "TaniumMSToolingHealthDark.png",
+ "TaniumMSToolingHealthLight.png",
+ "TaniumPatchDark.png",
+ "TaniumPatchLight.png",
+ "TaniumThreatResponseAlertsDark.png",
+ "TaniumThreatResponseAlertsLight.png",
+ "TaniumThreatResponseDark.png",
+ "TaniumThreatResponseLight.png"
+ ],
+ "version": "1.0",
+ "title": "Tanium Workbook",
+ "templateRelativePath": "TaniumWorkbook.json",
+ "subtitle": "",
+ "provider": "Tanium"
+ },
+ {
+ "workbookKey": "ActionableAlertsDashboard",
+ "logoFileName": "",
+ "description": "None.",
+ "dataTypesDependencies": [
+ "CyberSixgill_Alerts_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "CybersixgillActionableAlerts"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Cybersixgill Actionable Alerts Dashboard",
+ "templateRelativePath": "ActionableAlertsDashboard.json",
+ "subtitle": "",
+ "provider": "Cybersixgill"
+ },
+ {
+ "workbookKey": "ActionableAlertsList",
+ "logoFileName": "",
+ "description": "None.",
+ "dataTypesDependencies": [
+ "CyberSixgill_Alerts_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "CybersixgillActionableAlerts"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Cybersixgill Actionable Alerts List",
+ "templateRelativePath": "ActionableAlertsList.json",
+ "subtitle": "",
+ "provider": "Cybersixgill"
+ },
+ {
+ "workbookKey": "ArgosCloudSecurityWorkbook",
+ "logoFileName": "argos-logo.svg",
+ "description": "The ARGOS Cloud Security integration for Microsoft Sentinel allows you to have all your important cloud security events in one place.",
+ "dataTypesDependencies": [
+ "ARGOS_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ARGOSCloudSecurity"
+ ],
+ "previewImagesFileNames": [
+ "ARGOSCloudSecurityWorkbookBlack.png",
+ "ARGOSCloudSecurityWorkbookWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "ARGOS Cloud Security",
+ "templateRelativePath": "ARGOSCloudSecurityWorkbook.json",
+ "subtitle": "",
+ "provider": "ARGOS Cloud Security"
+ },
+ {
+ "workbookKey": "JamfProtectWorkbook",
+ "logoFileName": "jamf_logo.svg",
+ "description": "This Jamf Protect Workbook for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel.\n Providing reports into all alerts, device controls and Unfied Logs.",
+ "dataTypesDependencies": [
+ "jamfprotect_CL"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "JamfProtectDashboardBlack.png",
+ "JamfProtectDashboardWhite.png"
+ ],
+ "version": "2.0.0",
+ "title": "Jamf Protect Workbook",
+ "templateRelativePath": "JamfProtectDashboard.json",
+ "subtitle": "",
+ "provider": "Jamf Software, LLC"
+ },
+ {
+ "workbookKey": "AIVectraStream",
+ "logoFileName": "",
+ "description": "",
+ "dataTypesDependencies": [
+ "VectraStream_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "AIVectraStream"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "AIVectraStreamWorkbook",
+ "templateRelativePath": "AIVectraStreamWorkbook.json",
+ "subtitle": "",
+ "provider": "Vectra AI"
+ },
+ {
+ "workbookKey": "SecurityScorecardWorkbook",
+ "logoFileName": "",
+ "description": "This Workbook provides immediate insight into the data coming from SecurityScorecard’s three Sentinel data connectors: SecurityScorecard Cybersecurity Ratings, SecurityScorecard Cybersecurity Ratings - Factors, and SecurityScorecard Cybersecurity Ratings - Issues.",
+ "dataTypesDependencies": [
+ "SecurityScorecardFactor_CL",
+ "SecurityScorecardIssues_CL",
+ "SecurityScorecardRatings_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "SecurityScorecardFactorAzureFunctions",
+ "SecurityScorecardIssueAzureFunctions",
+ "SecurityScorecardRatingsAzureFunctions"
+ ],
+ "previewImagesFileNames": [
+ "SecurityScorecardBlack1.png",
+ "SecurityScorecardBlack2.png",
+ "SecurityScorecardBlack3.png",
+ "SecurityScorecardBlack4.png",
+ "SecurityScorecardBlack5.png",
+ "SecurityScorecardBlack6.png",
+ "SecurityScorecardWhite1.png",
+ "SecurityScorecardWhite2.png",
+ "SecurityScorecardWhite3.png",
+ "SecurityScorecardWhite4.png",
+ "SecurityScorecardWhite5.png",
+ "SecurityScorecardWhite6.png"
+ ],
+ "version": "1.0.0",
+ "title": "SecurityScorecard",
+ "templateRelativePath": "SecurityScorecardWorkbook.json",
+ "subtitle": "",
+ "provider": "SecurityScorecard"
+ },
+ {
+ "workbookKey": "DigitalShadowsWorkbook",
+ "logoFileName": "DigitalShadowsLogo.svg",
+ "description": "For gaining insights into Digital Shadows logs.",
+ "dataTypesDependencies": [
+ "DigitalShadows_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "DigitalShadowsSearchlightAzureFunctions"
+ ],
+ "previewImagesFileNames": [
+ "DigitalShadowsBlack1.png",
+ "DigitalShadowsBlack2.png",
+ "DigitalShadowsBlack3.png",
+ "DigitalShadowsWhite1.png",
+ "DigitalShadowsWhite2.png",
+ "DigitalShadowsWhite3.png"
+ ],
+ "version": "1.0.0",
+ "title": "Digital Shadows",
+ "templateRelativePath": "DigitalShadows.json",
+ "subtitle": "",
+ "provider": "Digital Shadows"
+ },
+ {
+ "workbookKey": "SalesforceServiceCloudWorkbook",
+ "logoFileName": "salesforce_logo.svg",
+ "description": "Sets the time name for analysis.",
+ "dataTypesDependencies": [
+ "SalesforceServiceCloud"
+ ],
+ "dataConnectorsDependencies": [
+ "SalesforceServiceCloud_CL"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Salesforce Service Cloud",
+ "templateRelativePath": "SalesforceServiceCloud.json",
+ "subtitle": "",
+ "provider": "Salesforce"
+ },
+ {
+ "workbookKey": "NetworkSessionSolution",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "This workbook is included as part of Network Session Essentials solution and gives a summary of analyzed traffic, helps with threat analysis and investigating suspicious IP’s and traffic analysis. Network Session Essentials Solution also includes playbooks to periodically summarize the logs thus enhancing user experience and improving data search. For the effective usage of workbook, we highly recommend to enable the summarization playbooks that are provided with this solution.",
+ "dataTypesDependencies": [
+ "AWSVPCFlow",
+ "DeviceNetworkEvents",
+ "SecurityEvent",
+ "WindowsEvent",
+ "CommonSecurityLog",
+ "Syslog",
+ "CommonSecurityLog",
+ "VMConnection",
+ "AzureDiagnostics",
+ "AzureDiagnostics",
+ "CommonSecurityLog",
+ "Corelight_CL",
+ "VectraStream",
+ "CommonSecurityLog",
+ "CommonSecurityLog",
+ "Syslog",
+ "CiscoMerakiNativePoller"
+ ],
+ "dataConnectorsDependencies": [
+ "AWSS3",
+ "MicrosoftThreatProtection",
+ "SecurityEvents",
+ "WindowsForwardedEvents",
+ "Zscaler",
+ "MicrosoftSysmonForLinux",
+ "PaloAltoNetworks",
+ "AzureMonitor(VMInsights)",
+ "AzureFirewall",
+ "AzureNSG",
+ "CiscoASA",
+ "Corelight",
+ "AIVectraStream",
+ "CheckPoint",
+ "Fortinet",
+ "CiscoMeraki"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Network Session Essentials",
+ "templateRelativePath": "NetworkSessionEssentials.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "SAPSODAnalysis",
+ "logoFileName": "AliterConsulting.svg",
+ "description": "SAP SOD Analysis",
+ "dataTypesDependencies": [
+ "SAPAuditLog"
+ ],
+ "dataConnectorsDependencies": [
+ "SAP"
+ ],
+ "previewImagesFileNames": [],
+ "version": "2.0.0",
+ "title": "SAP SOD Analysis",
+ "templateRelativePath": "SAP - Segregation of Duties v2.0 (by Aliter Consulting).json",
+ "subtitle": "",
+ "provider": "Aliter Consulting"
+ },
+ {
+ "workbookKey": "TheomWorkbook",
+ "logoFileName": "theom-logo.svg",
+ "description": "Theom Alert Statistics",
+ "dataTypesDependencies": [
+ "TheomAlerts_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "Theom"
+ ],
+ "previewImagesFileNames": [
+ "TheomWorkbook-black.png",
+ "TheomWorkbook-white.png"
+ ],
+ "version": "1.0.0",
+ "title": "Theom",
+ "templateRelativePath": "Theom.json",
+ "subtitle": "",
+ "provider": "Theom"
+ },
+ {
+ "workbookKey": "DynatraceWorkbooks",
+ "logoFileName": "dynatrace.svg",
+ "description": "This workbook brings together queries and visualizations to assist you in identifying potential threats surfaced by Dynatrace.",
+ "dataTypesDependencies": [
+ "DynatraceAttacks_CL",
+ "DynatraceAuditLogs_CL",
+ "DynatraceProblems_CL",
+ "DynatraceSecurityProblems_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "DynatraceAttacks",
+ "DynatraceAuditLogs",
+ "DynatraceProblems",
+ "DynatraceRuntimeVulnerabilities"
+ ],
+ "previewImagesFileNames": [
+ "DynatraceWorkbookBlack.png",
+ "DynatraceWorkbookWhite.png"
+ ],
+ "version": "2.0.0",
+ "title": "Dynatrace",
+ "templateRelativePath": "Dynatrace.json",
+ "subtitle": "",
+ "provider": "Dynatrace"
+ },
+ {
+ "workbookKey": "MDOWorkbook",
+ "logoFileName": "",
+ "description": "Gain extensive insight into your organization's Microsoft Defender for Office Activity by analyzing, and correlating events.\nYou can track malware and phishing detection over time.",
+ "dataTypesDependencies": [
+ "SecurityAlert"
+ ],
+ "dataConnectorsDependencies": [
+ "MicrosoftThreatProtection"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Microsoft 365 Defender MDOWorkbook",
+ "templateRelativePath": "MDO Insights.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "AnomaliesVisualizationWorkbook",
+ "logoFileName": "",
+ "description": "A workbook that provides contextual information to a user for better insight on Anomalies and their impact. The workbook will help with investigation of anomalies as well as identify patterns that can lead to a threat.",
+ "dataTypesDependencies": [
+ "Anomalies"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "AnomaliesVisualizationWorkbookWhite.png",
+ "AnomaliesVisualizationWorkbookBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "AnomaliesVisulization",
+ "templateRelativePath": "AnomaliesVisualization.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "AnomalyDataWorkbook",
+ "logoFileName": "",
+ "description": "A workbook providing details, related Incident, and related Hunting Workbook for a specific Anomaly.",
+ "dataTypesDependencies": [
+ "Anomalies"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "AnomalyDataWorkbookWhite.png",
+ "AnomalyDataWorkbookBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "AnomalyData",
+ "templateRelativePath": "AnomalyData.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC-Online",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "This Workbook, dedicated to Exchange Online environments is built to have a simple view of non-standard RBAC delegations on an Exchange Online tenant. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.",
+ "dataTypesDependencies": [
+ "ESIExchangeOnlineConfig_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ESI-ExchangeOnPremisesCollector",
+ "ESI-ExchangeAdminAuditLogEvents",
+ "ESI-ExchangeOnlineCollector"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Microsoft Exchange Least Privilege with RBAC - Online",
+ "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC - Online.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.",
+ "dataTypesDependencies": [
+ "ESIExchangeOnlineConfig_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ESI-ExchangeOnPremisesCollector",
+ "ESI-ExchangeAdminAuditLogEvents",
+ "ESI-ExchangeOnlineCollector"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Microsoft Exchange Least Privilege with RBAC",
+ "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "MicrosoftExchangeSearchAdminAuditLog",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment.",
+ "dataTypesDependencies": [
+ "ESIExchangeOnlineConfig_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ESI-ExchangeOnPremisesCollector",
+ "ESI-ExchangeAdminAuditLogEvents",
+ "ESI-ExchangeOnlineCollector"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Microsoft Exchange Search AdminAuditLog",
+ "templateRelativePath": "Microsoft Exchange Search AdminAuditLog.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "MicrosoftExchangeSecurityMonitoring",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers.",
+ "dataTypesDependencies": [
+ "ESIExchangeOnlineConfig_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ESI-ExchangeOnPremisesCollector",
+ "ESI-ExchangeAdminAuditLogEvents",
+ "ESI-ExchangeOnlineCollector"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Microsoft Exchange Admin Activity",
+ "templateRelativePath": "Microsoft Exchange Admin Activity.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "MicrosoftExchangeSecurityReview-Online",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "This Workbook is dedicated to Exchange Online tenants. It displays and highlights current Security configuration on various Exchange components specific to Online including delegations, the transport configuration and the linked security risks, and risky protocols.",
+ "dataTypesDependencies": [
+ "ESIExchangeOnlineConfig_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ESI-ExchangeOnPremisesCollector",
+ "ESI-ExchangeAdminAuditLogEvents",
+ "ESI-ExchangeOnlineCollector"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Microsoft Exchange Security Review - Online",
+ "templateRelativePath": "Microsoft Exchange Security Review - Online.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "MicrosoftExchangeSecurityReview",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks.",
+ "dataTypesDependencies": [
+ "ESIExchangeOnlineConfig_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "ESI-ExchangeOnPremisesCollector",
+ "ESI-ExchangeAdminAuditLogEvents",
+ "ESI-ExchangeOnlineCollector"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Microsoft Exchange Security Review",
+ "templateRelativePath": "Microsoft Exchange Security Review.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "ibossMalwareAndC2Workbook",
+ "logoFileName": "",
+ "description": "A workbook providing insights into malware and C2 activity detected by iboss.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "iboss Malware and C2",
+ "templateRelativePath": "ibossMalwareAndC2.json",
+ "subtitle": "",
+ "provider": "iboss"
+ },
+ {
+ "workbookKey": "ibossWebUsageWorkbook",
+ "logoFileName": "",
+ "description": "A workbook providing insights into web usage activity detected by iboss.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "iboss Web Usage",
+ "templateRelativePath": "ibossWebUsage.json",
+ "subtitle": "",
+ "provider": "iboss"
+ },
+ {
+ "workbookKey": "CynerioOverviewWorkbook",
+ "logoFileName": "",
+ "description": "An overview of Cynerio Security events",
+ "dataTypesDependencies": ["CynerioEvent_CL"],
+ "dataConnectorsDependencies": ["CynerioSecurityEvents"],
+ "previewImagesFileNames": ["CynerioOverviewBlack.png", "CynerioOverviewWhite.png"],
+ "version": "1.0.0",
+ "title": "Cynerio Overview Workbook",
+ "templateRelativePath": "CynerioOverviewWorkbook.json",
+ "subtitle": "",
+ "provider": "Cynerio"
+ },
+ {
+ "workbookKey": "Fortiweb-workbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "This workbook depends on a parser based on a Kusto Function to work as expected [**Fortiweb**](https://aka.ms/sentinel-FortiwebDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "dataTypesDependencies": [
+ "CommonSecurityLog"
+ ],
+ "dataConnectorsDependencies": [
+ "FortinetFortiWeb"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Fortiweb-workbook",
+ "templateRelativePath": "Fortiweb-workbook.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "ReversingLabs-CapabilitiesOverview",
+ "logoFileName": "reversinglabs.svg",
+ "description": "The ReversingLabs-CapabilitiesOverview workbook provides a high level look at your threat intelligence capabilities and how they relate to your operations.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "ReversingLabsTiSummary-White.png",
+ "ReversingLabsTiSummary-Black.png",
+ "ReversingLabsOpsSummary-White.png",
+ "ReversingLabsOpsSummary-Black.png"
+ ],
+ "version": "1.1.1",
+ "title": "ReversingLabs-CapabilitiesOverview",
+ "templateRelativePath": "ReversingLabs-CapabilitiesOverview.json",
+ "subtitle": "",
+ "provider": "ReversingLabs"
+ },
+ {
+ "workbookKey": "TalonInsights",
+ "logoFileName": "Talon.svg",
+ "description": "This workbook provides Talon Security Insights on Log Analytics Query Logs",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "TalonInsightsBlack.png",
+ "TalonInsightsWhite.png"
+ ],
+ "version": "2.0.0",
+ "title": "Talon Insights",
+ "templateRelativePath": "TalonInsights.json",
+ "subtitle": "",
+ "provider": "Talon Security"
+ },
+ {
+ "workbookKey": "vCenter",
+ "logoFileName": [],
+ "description": "This data connector depends on a parser based on Kusto Function **vCenter** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-vCenter-parser)",
+ "dataTypesDependencies": [
+ "vCenter_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "VMwarevCenter"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "vCenter",
+ "templateRelativePath": "vCenter.json",
+ "subtitle": "",
+ "provider": "VMware"
+ },
+ {
+ "workbookKey": "SAP-Monitors-AlertsandPerformance",
+ "logoFileName": "SAPVMIcon.svg",
+ "description": "SAP -Monitors- Alerts and Performance",
+ "dataTypesDependencies": [
+ "SAPAuditLog"
+ ],
+ "dataConnectorsDependencies": [
+ "SAP"
+ ],
+ "previewImagesFileNames": [
+ "SAPVMIcon.svg"
+ ],
+ "version": "2.0.1",
+ "title": "SAP -Monitors- Alerts and Performance",
+ "templateRelativePath": "SAP -Monitors- Alerts and Performance.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "SAP-SecurityAuditlogandInitialAccess",
+ "logoFileName": "SAPVMIcon.svg",
+ "description": "SAP -Security Audit log and Initial Access",
+ "dataTypesDependencies": [
+ "SAPAuditLog"
+ ],
+ "dataConnectorsDependencies": [
+ "SAP"
+ ],
+ "previewImagesFileNames": [
+ "SAPVMIcon.svg"
+ ],
+ "version": "2.0.1",
+ "title": "SAP -Security Audit log and Initial Access",
+ "templateRelativePath": "SAP -Security Audit log and Initial Access.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "DNSSolutionWorkbook",
+ "logoFileName": "",
+ "description": "This workbook is included as part of the DNS Essentials solution and gives a summary of analyzed DNS traffic. It also helps with threat analysis and investigating suspicious Domains, IPs and DNS traffic. DNS Essentials Solution also includes a playbook to periodically summarize the logs, thus enhancing the user experience and improving data search. For effective usage of workbook, we highly recommend enabling the summarization playbook that is provided with this solution.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "DNSDomainWorkbookWhite.png",
+ "DNSDomainWorkbookBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "DNS Solution Workbook",
+ "templateRelativePath": "DNSSolutionWorkbook.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "MicrosoftPowerBIActivityWorkbook",
+ "logoFileName": "",
+ "description": "This workbook provides details on Microsoft PowerBI Activity",
+ "dataTypesDependencies": [
+ "PowerBIActivity"
+ ],
+ "dataConnectorsDependencies": [
+ "Microsoft PowerBI (Preview)"
+ ],
+ "previewImagesFileNames": [
+ "MicrosoftPowerBIActivityWorkbookBlack.png",
+ "MicrosoftPowerBIActivityWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Microsoft PowerBI Activity Workbook",
+ "templateRelativePath": "MicrosoftPowerBIActivityWorkbook.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "MicrosoftThreatIntelligenceWorkbook",
+ "logoFileName": "",
+ "description": "Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable.",
+ "dataTypesDependencies": [
+ "ThreatIntelligenceIndicator",
+ "SecurityIncident"
+ ],
+ "dataConnectorsDependencies": [
+ "ThreatIntelligence",
+ "ThreatIntelligenceTaxii"
+ ],
+ "previewImagesFileNames": [
+ "ThreatIntelligenceWhite.png",
+ "ThreatIntelligenceBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Threat Intelligence",
+ "templateRelativePath": "MicrosoftThreatIntelligence.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "MicrosoftDefenderForEndPoint",
+ "logoFileName": "",
+ "description": "A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "microsoftdefenderforendpointwhite.png",
+ "microsoftdefenderforendpointblack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Microsoft Defender For EndPoint",
+ "templateRelativePath": "MicrosoftDefenderForEndPoint.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "MicrosoftDefenderForIdentity",
+ "logoFileName": "",
+ "description": "Use this workbook to analyse the advance hunting data ingested for Defender For Identity.",
+ "dataTypesDependencies": [
+ "IdentityLogonEvents",
+ "IdentityQueryEvents",
+ "IdentityDirectoryEvents",
+ "SecurityAlert"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "microsoftdefenderforidentityblack.png",
+ "microsoftdefenderforidentitywhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "Microsoft Defender For Identity",
+ "templateRelativePath": "MicrosoftDefenderForIdentity.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "EsetProtect",
+ "logoFileName": "",
+ "description": "Visualize events and threats from Eset protect.",
+ "dataTypesDependencies": [
+ "ESETPROTECT"
+ ],
+ "dataConnectorsDependencies": [
+ "ESETPROTECT"
+ ],
+ "previewImagesFileNames": [
+ "ESETPROTECTBlack.png",
+ "ESETPROTECTWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "EsetProtect",
+ "templateRelativePath": "ESETPROTECT.json",
+ "subtitle": "",
+ "provider": "Community"
+ },
+ {
+ "workbookKey": "CyberArkEPMWorkbook",
+ "logoFileName": "CyberArk_Logo.svg",
+ "description": "Sets the time name for analysis",
+ "dataTypesDependencies": [
+ "CyberArkEPM_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "CyberArkEPM"
+ ],
+ "previewImagesFileNames": [
+ "CyberArkEPMBlack.png",
+ "CyberArkEPMWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "CyberArk EPM",
+ "templateRelativePath": "CyberArkEPM.json",
+ "subtitle": "",
+ "provider": "CyberArk"
+ },
+ {
+ "workbookKey": "NetskopeWorkbook",
+ "logoFileName": "Netskope_logo.svg",
+ "description": "Gain insights and comprehensive monitoring into Netskope events data by analyzing traffic and user activities.\nThis workbook provides insights into various Netskope events types such as Cloud Firewall, Network Private Access, Applications, Security Alerts as well as Web Transactions.\nYou can use this workbook to get visibility in to your Netskope Security Cloud and quickly identify threats, anamolies, traffic patterns, cloud application useage, blocked URL addresses and more.",
+ "dataTypesDependencies": [
+ "Netskope_Events_CL",
+ "Netskope_Alerts_CL",
+ "Netskope_WebTX_CL"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "Netskope-ApplicationEvents-Black.png",
+ "Netskope-ApplicationEvents-White.png",
+ "Netskope-SecurityAlerts-DLP-Black.png",
+ "Netskope-SecurityAlerts-DLP-White.png",
+ "Netskope-NetworkEvents-CFW-Black.png",
+ "Netskope-NetworkEvents-CFW-White.png",
+ "Netskope-SecurityAlerts-Malsite-Black.png",
+ "Netskope-SecurityAlerts-Malsite-White.png",
+ "Netskope-NetworkEvents-NPA-Black.png",
+ "Netskope-NetworkEvents-NPA-White.png",
+ "Netskope-SecurityAlerts-Malware-White.png",
+ "Netskope-SecurityAlerts-Malware-Black.png",
+ "Netskope-SecurityAlerts-BehaviorAnalytics-Black.png",
+ "Netskope-SecurityAlerts-BehaviorAnalytics-White.png",
+ "Netskope-SecurityAlerts-Overview-Black.png",
+ "Netskope-SecurityAlerts-Overview-White.png",
+ "Netskope-SecurityAlerts-CompormisedCredentials-Black.png",
+ "Netskope-SecurityAlerts-CompromisedCredentials-White.png",
+ "Netskope-WebTransactions-Black.png",
+ "Netskope-WebTransactions-White.png"
+ ],
+ "version": "1.0",
+ "title": "Netskope",
+ "templateRelativePath": "NetskopeEvents.json",
+ "subtitle": "",
+ "provider": "Netskope"
+ },
+ {
+ "workbookKey": "AIShield",
+ "logoFileName": "",
+ "description": "Visualize events generated by AIShield. This workbook is dependent on a parser AIShield which is a part of the solution deployment.",
+ "dataTypesDependencies": [
+ "AIShield"
+ ],
+ "dataConnectorsDependencies": [
+ "AIShield"
+ ],
+ "previewImagesFileNames": [
+ "AIShieldBlack.png",
+ "AIShieldWhite.png"
+ ],
+ "version": "1.0.0",
+ "title": "AIShield Workbook",
+ "templateRelativePath": "AIShield.json",
+ "subtitle": "",
+ "provider": "Community"
+ },
+ {
+ "workbookKey": "AttackSurfaceReduction",
+ "logoFileName": "M365securityposturelogo.svg",
+ "description": "This workbook helps you implement the ASR rules of Windows/Defender, and to monitor them over time. The workbook can filter on ASR rules in Audit mode and Block mode.",
+ "dataTypesDependencies": [
+ "DeviceEvents"
+ ],
+ "dataConnectorsDependencies": [
+ "MicrosoftThreatProtection"
+ ],
+ "previewImagesFileNames": [
+ "AttackSurfaceReductionWhite.png",
+ "AttackSurfaceReductionBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Attack Surface Reduction Dashboard",
+ "templateRelativePath": "AttackSurfaceReduction.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel community"
+ },
+ {
+ "workbookKey": "IncidentTasksWorkbook",
+ "logoFileName": "",
+ "description": "Use this workbook to review and modify existing incidents with tasks. This workbook provides views that higlight incident tasks that are open, closed, or deleted, as well as incidents with tasks that are either owned or unassigned. The workbook also provides SOC metrics around incident task performance, such as percentage of incidents without tasks, average time to close tasks, and more.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "Tasks-Black.png",
+ "Tasks-White.png"
+ ],
+ "version": "1.1.0",
+ "title": "Incident Tasks Workbook",
+ "templateRelativePath": "IncidentTasksWorkbook.json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "NetCleanProActiveWorkbook",
+ "logoFileName": "NetCleanImpactLogo.svg",
+ "description": "This workbook provides insights on NetClean ProActive Incidents.",
+ "dataTypesDependencies": [
+ "Netclean_Incidents_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "Netclean_ProActive_Incidents"
+ ],
+ "previewImagesFileNames": [
+ "NetCleanProActiveBlack1.png",
+ "NetCleanProActiveBlack2.png",
+ "NetCleanProActiveWhite1.png",
+ "NetCleanProActiveWhite2.png"
+ ],
+ "version": "1.0.0",
+ "title": "NetClean ProActive",
+ "templateRelativePath": "NetCleanProActiveWorkbook.json",
+ "subtitle": "",
+ "provider": "NetClean"
+ },
+ {
+ "workbookKey": "AutomationHealth",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "Have a holistic overview of your automation health, gain insights about failures, correlate Microsoft Sentinel health with Logic Apps diagnostics logs and deep dive automation details per incident",
+ "dataTypesDependencies": [
+ "SentinelHealth"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "AutomationHealthBlack.png",
+ "AutomationHealthWhite.png"
+ ],
+ "version": "2.0.0",
+ "title": "Automation health",
+ "templateRelativePath": "AutomationHealth.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
+ },
+ {
+ "workbookKey": "SAP-AuditControls",
+ "logoFileName": "SAPVMIcon.svg",
+ "description": "SAP -Audit Controls (Preview)",
+ "dataTypesDependencies": [
+ "SAPAuditLog"
+ ],
+ "dataConnectorsDependencies": [
+ "SAP"
+ ],
+ "previewImagesFileNames": [
+ "SAPVMIcon.svg"
+ ],
+ "version": "1.0.0",
+ "title": "SAP -Audit Controls (Preview)",
+ "templateRelativePath": "SAP -Audit Controls (Preview).json",
+ "subtitle": "",
+ "provider": "Microsoft"
+ },
+ {
+ "workbookKey": "ZoomReports",
"logoFileName": "",
- "description": "Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable.",
- "dataTypesDependencies": [
- "ThreatIntelligenceIndicator",
- "SecurityIncident"
- ],
- "dataConnectorsDependencies": [
- "ThreatIntelligence",
- "ThreatIntelligenceTaxii"
- ],
- "previewImagesFileNames": [
- "ThreatIntelligenceWhite.png",
- "ThreatIntelligenceBlack.png"
- ],
+ "description": "Visualize various details & visuals on Zoom Report data ingested though the solution. This also have a dependency on the parser which is available as a part of Zoom solution named Zoom",
+ "dataTypesDependencies": [ "Zoom" ],
+ "dataConnectorsDependencies": ["Zoom Reports"],
+ "previewImagesFileNames": [ "ZoomReportsBlack.png", "ZoomReportsWhite.png" ],
"version": "1.0.0",
- "title": "Threat Intelligence",
- "templateRelativePath": "MicrosoftThreatIntelligence.json",
+ "title": "Zoom Reports",
+ "templateRelativePath": "ZoomReports.json",
"subtitle": "",
- "provider": "Microsoft"
+ "provider": "Community"
+ },
+ {
+ "workbookKey": "ExchangeOnlineWorkbook",
+ "logoFileName": "office365_logo.svg",
+ "description": "Gain insights into Microsoft Exchange online by tracing and analyzing all Exchange operations and user activities.\nThis workbook let you monitor user activities, including logins, account operations, permission changes, and mailbox creations to discover suspicious trends among them.",
+ "dataTypesDependencies": [
+ "OfficeActivity"
+ ],
+ "dataConnectorsDependencies": [
+ "Office365"
+ ],
+ "previewImagesFileNames": [
+ "ExchangeOnlineWhite.png",
+ "ExchangeOnlineBlack.png"
+ ],
+ "version": "2.0.0",
+ "title": "Exchange Online",
+ "templateRelativePath": "ExchangeOnline.json",
+ "subtitle": "",
+ "provider": "Microsoft"
},
{
- "workbookKey": "MicrosoftDefenderForEndPoint",
- "logoFileName": "",
- "description": "A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "microsoftdefenderforendpointwhite.png",
- "microsoftdefenderforendpointblack.png"
- ],
- "version": "1.0.0",
- "title": "Microsoft Defender For EndPoint",
- "templateRelativePath": "MicrosoftDefenderForEndPoint.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
+ "workbookKey": "Office365Workbook",
+ "logoFileName": "office365_logo.svg",
+ "description": "Gain insights into Office 365 by tracing and analyzing all operations and activities. You can drill down into your SharePoint, OneDrive, and Exchange.\nThis workbook lets you find usage trends across users, files, folders, and mailboxes, making it easier to identify anomalies in your network.",
+ "dataTypesDependencies": [
+ "OfficeActivity"
+ ],
+ "dataConnectorsDependencies": [
+ "Office365"
+ ],
+ "previewImagesFileNames": [
+ "Office365White1.png",
+ "Office365Black1.png",
+ "Office365White2.png",
+ "Office365Black2.png",
+ "Office365White3.png",
+ "Office365Black3.png"
+ ],
+ "version": "2.0.1",
+ "title": "Office 365",
+ "templateRelativePath": "Office365.json",
+ "subtitle": "",
+ "provider": "Microsoft"
},
{
- "workbookKey": "MicrosoftDefenderForIdentity",
- "logoFileName": "",
- "description": "Use this workbook to analyse the advance hunting data ingested for Defender For Identity.",
- "dataTypesDependencies": [
- "IdentityLogonEvents",
- "IdentityQueryEvents",
- "IdentityDirectoryEvents",
- "SecurityAlert"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "microsoftdefenderforidentityblack.png",
- "microsoftdefenderforidentitywhite.png"
- ],
- "version": "1.0.0",
- "title": "Microsoft Defender For Identity",
- "templateRelativePath": "MicrosoftDefenderForIdentity.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
+ "workbookKey": "SharePointAndOneDriveWorkbook",
+ "logoFileName": "office365_logo.svg",
+ "description": "Gain insights into SharePoint and OneDrive by tracing and analyzing all operations and activities.\nYou can view trends across user operation, find correlations between users and files, and identify interesting information such as user IP addresses.",
+ "dataTypesDependencies": [
+ "OfficeActivity"
+ ],
+ "dataConnectorsDependencies": [
+ "Office365"
+ ],
+ "previewImagesFileNames": [
+ "SharePointAndOneDriveBlack1.png",
+ "SharePointAndOneDriveBlack2.png",
+ "SharePointAndOneDriveWhite1.png",
+ "SharePointAndOneDriveWhite2.png"
+ ],
+ "version": "2.0.0",
+ "title": "SharePoint & OneDrive",
+ "templateRelativePath": "SharePointAndOneDrive.json",
+ "subtitle": "",
+ "provider": "Microsoft"
},
{
- "workbookKey": "EsetProtect",
- "logoFileName": "",
- "description": "Visualize events and threats from Eset protect.",
- "dataTypesDependencies": [
- "ESETPROTECT"
- ],
- "dataConnectorsDependencies": [
- "ESETPROTECT"
- ],
- "previewImagesFileNames": [
- "ESETPROTECTBlack.png",
- "ESETPROTECTWhite.png"
- ],
- "version": "1.0.0",
- "title": "EsetProtect",
- "templateRelativePath": "ESETPROTECT.json",
- "subtitle": "",
- "provider": "Community"
+ "workbookKey": "QualysVMWorkbook",
+ "logoFileName": "qualys_logo.svg",
+ "description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans",
+ "dataTypesDependencies": [
+ "QualysHostDetection_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "QualysVulnerabilityManagement"
+ ],
+ "previewImagesFileNames": [
+ "QualysVMWhite.png",
+ "QualysVMBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Qualys Vulnerability Management",
+ "templateRelativePath": "QualysVM.json",
+ "subtitle": "",
+ "provider": "Qualys"
},
{
- "workbookKey": "CyberArkEPMWorkbook",
- "logoFileName": "CyberArk_Logo.svg",
- "description": "Sets the time name for analysis",
- "dataTypesDependencies": [
- "CyberArkEPM_CL"
- ],
- "dataConnectorsDependencies": [
- "CyberArkEPM"
- ],
- "previewImagesFileNames": [
- "CyberArkEPMBlack.png",
- "CyberArkEPMWhite.png"
- ],
- "version": "1.0.0",
- "title": "CyberArk EPM",
- "templateRelativePath": "CyberArkEPM.json",
- "subtitle": "",
- "provider": "CyberArk"
+ "workbookKey": "QualysVMV2Workbook",
+ "logoFileName": "qualys_logo.svg",
+ "description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans",
+ "dataTypesDependencies": [
+ "QualysHostDetectionV2_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "QualysVulnerabilityManagement"
+ ],
+ "previewImagesFileNames": [
+ "QualysVMWhite.png",
+ "QualysVMBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Qualys Vulnerability Management",
+ "templateRelativePath": "QualysVMv2.json",
+ "subtitle": "",
+ "provider": "Qualys"
},
+
{
- "workbookKey": "NetskopeWorkbook",
- "logoFileName": "Netskope_logo.svg",
- "description": "Gain insights and comprehensive monitoring into Netskope events data by analyzing traffic and user activities.\nThis workbook provides insights into various Netskope events types such as Cloud Firewall, Network Private Access, Applications, Security Alerts as well as Web Transactions.\nYou can use this workbook to get visibility in to your Netskope Security Cloud and quickly identify threats, anamolies, traffic patterns, cloud application useage, blocked URL addresses and more.",
- "dataTypesDependencies": [
- "Netskope_Events_CL",
- "Netskope_Alerts_CL",
- "Netskope_WebTX_CL"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "Netskope-ApplicationEvents-Black.png",
- "Netskope-ApplicationEvents-White.png",
- "Netskope-SecurityAlerts-DLP-Black.png",
- "Netskope-SecurityAlerts-DLP-White.png",
- "Netskope-NetworkEvents-CFW-Black.png",
- "Netskope-NetworkEvents-CFW-White.png",
- "Netskope-SecurityAlerts-Malsite-Black.png",
- "Netskope-SecurityAlerts-Malsite-White.png",
- "Netskope-NetworkEvents-NPA-Black.png",
- "Netskope-NetworkEvents-NPA-White.png",
- "Netskope-SecurityAlerts-Malware-White.png",
- "Netskope-SecurityAlerts-Malware-Black.png",
- "Netskope-SecurityAlerts-BehaviorAnalytics-Black.png",
- "Netskope-SecurityAlerts-BehaviorAnalytics-White.png",
- "Netskope-SecurityAlerts-Overview-Black.png",
- "Netskope-SecurityAlerts-Overview-White.png",
- "Netskope-SecurityAlerts-CompormisedCredentials-Black.png",
- "Netskope-SecurityAlerts-CompromisedCredentials-White.png",
- "Netskope-WebTransactions-Black.png",
- "Netskope-WebTransactions-White.png"
- ],
- "version": "1.0",
- "title": "Netskope",
- "templateRelativePath": "NetskopeEvents.json",
- "subtitle": "",
- "provider": "Netskope"
+ "workbookKey": "MicrosoftDefenderForOffice365",
+ "logoFileName": "office365_logo.svg",
+ "description": "Gain insights into your Microsoft Defender for Office 365 raw data logs. This workbook lets you look at trends in email senders, attachments and embedded URL data to find anomalies. You can also search by, sender, recipient, subject, attachment or embedded URL to find where the related messages have been sent.",
+ "dataTypesDependencies": [
+ "EmailEvents",
+ "EmailUrlInfo",
+ "EmailAttachmentInfo"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "MDOWhite1.png",
+ "MDOBlack1.png",
+ "MDOWhite2.png",
+ "MDOBlack2.png"
+ ],
+ "version": "1.0.0",
+ "title": "Microsoft Defender For Office 365",
+ "templateRelativePath": "MicrosoftDefenderForOffice365.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
},
{
- "workbookKey": "AIShield",
- "logoFileName": "",
- "description": "Visualize events generated by AIShield. This workbook is dependent on a parser AIShield which is a part of the solution deployment.",
- "dataTypesDependencies": [
- "AIShield"
- ],
- "dataConnectorsDependencies": [
- "AIShield"
- ],
- "previewImagesFileNames": [
- "AIShieldBlack.png",
- "AIShieldWhite.png"
- ],
- "version": "1.0.0",
- "title": "AIShield Workbook",
- "templateRelativePath": "AIShield.json",
- "subtitle": "",
- "provider": "Community"
+ "workbookKey": "MicrosoftDefenderForEndPoint",
+ "logoFileName": "",
+ "description": "A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "microsoftdefenderforendpointwhite.png",
+ "microsoftdefenderforendpointblack.png"
+ ],
+ "version": "1.0.0",
+ "title": "MicrosoftDefenderForEndPoint",
+ "templateRelativePath": "MicrosoftDefenderForEndPoint.json",
+ "subtitle": "",
+ "provider": "Microsoft Sentinel Community"
},
{
- "workbookKey": "AttackSurfaceReduction",
- "logoFileName": "M365securityposturelogo.svg",
- "description": "This workbook helps you implement the ASR rules of Windows/Defender, and to monitor them over time. The workbook can filter on ASR rules in Audit mode and Block mode.",
- "dataTypesDependencies": [
- "DeviceEvents"
- ],
- "dataConnectorsDependencies": [
- "MicrosoftThreatProtection"
- ],
- "previewImagesFileNames": [
- "AttackSurfaceReductionWhite.png",
- "AttackSurfaceReductionBlack.png"
- ],
- "version": "1.0.0",
- "title": "Attack Surface Reduction Dashboard",
- "templateRelativePath": "AttackSurfaceReduction.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel community"
+ "workbookKey": "InsiderRiskManagementWorkbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "The Microsoft Insider Risk Management Workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide \u201cGo to Alert\u201d links to provide deeper integration between products and a simplified user experience for exploring alerts. ",
+ "dataTypesDependencies": [
+ "SigninLogsSigninLogs",
+ "AuditLogs",
+ "AzureActivity",
+ "OfficeActivity",
+ "InformationProtectionLogs_CL",
+ "SecurityIncident"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "InsiderRiskManagementBlack1.png"
+ ],
+ "version": "1.0.0",
+ "title": "Insider Risk Management",
+ "templateRelativePath": "InsiderRiskManagement.json",
+ "subtitle": "",
+ "provider": "Microsoft"
},
{
- "workbookKey": "IncidentTasksWorkbook",
- "logoFileName": "",
- "description": "Use this workbook to review and modify existing incidents with tasks. This workbook provides views that higlight incident tasks that are open, closed, or deleted, as well as incidents with tasks that are either owned or unassigned. The workbook also provides SOC metrics around incident task performance, such as percentage of incidents without tasks, average time to close tasks, and more.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "Tasks-Black.png",
- "Tasks-White.png"
- ],
- "version": "1.1.0",
- "title": "Incident Tasks Workbook",
- "templateRelativePath": "IncidentTasksWorkbook.json",
- "subtitle": "",
- "provider": "Microsoft"
- },
- {
- "workbookKey": "NetCleanProActiveWorkbook",
- "logoFileName": "NetCleanImpactLogo.svg",
- "description": "This workbook provides insights on NetClean ProActive Incidents.",
+ "workbookKey": "Fortiweb-workbook",
+ "logoFileName": "Azure_Sentinel.svg",
+ "description": "This workbook depends on a parser based on a Kusto Function to work as expected [**Fortiweb**](https://aka.ms/sentinel-FortiwebDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.",
"dataTypesDependencies": [
- "Netclean_Incidents_CL"
+ "CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "Netclean_ProActive_Incidents"
- ],
- "previewImagesFileNames": [
- "NetCleanProActiveBlack1.png",
- "NetCleanProActiveBlack2.png",
- "NetCleanProActiveWhite1.png",
- "NetCleanProActiveWhite2.png"
+ "FortinetFortiWeb"
],
+ "previewImagesFileNames": [],
"version": "1.0.0",
- "title": "NetClean ProActive",
- "templateRelativePath": "NetCleanProActiveWorkbook.json",
+ "title": "Fortiweb-workbook",
+ "templateRelativePath": "Fortiweb-workbook.json",
"subtitle": "",
- "provider": "NetClean"
- },
- {
- "workbookKey": "AutomationHealth",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "Have a holistic overview of your automation health, gain insights about failures, correlate Microsoft Sentinel health with Logic Apps diagnostics logs and deep dive automation details per incident",
- "dataTypesDependencies": [
- "SentinelHealth"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "AutomationHealthBlack.png",
- "AutomationHealthWhite.png"
- ],
- "version": "2.0.0",
- "title": "Automation health",
- "templateRelativePath": "AutomationHealth.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
+ "provider": "Microsoft"
},
{
- "workbookKey": "SAP-AuditControls",
- "logoFileName": "SAPVMIcon.svg",
- "description": "SAP -Audit Controls (Preview)",
- "dataTypesDependencies": [
- "SAPAuditLog"
- ],
- "dataConnectorsDependencies": [
- "SAP"
- ],
- "previewImagesFileNames": [
- "SAPVMIcon.svg"
- ],
- "version": "1.0.0",
- "title": "SAP -Audit Controls (Preview)",
- "templateRelativePath": "SAP -Audit Controls (Preview).json",
- "subtitle": "",
- "provider": "Microsoft"
+ "workbookKey": "WebSessionEssentialsWorkbook",
+ "logoFileName": "",
+ "description": "The 'Web Session Essentials' workbook provides real-time insights into activity and potential threats in your network. This workbook is designed for network teams, security architects, analysts, and consultants to monitor, identify and investigate threats on Web servers, Web Proxies and Web Security Gateways assets. This Workbook gives a summary of analysed web traffic and helps with threat analysis and investigating suspicious http traffic.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "WebSessionEssentialsWorkbookWhite.png",
+ "WebSessionEssentialsWorkbookBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Web Session Essentials Workbook",
+ "templateRelativePath": "WebSessionEssentials.json",
+ "subtitle": "",
+ "provider": "Microsoft"
},
{
- "workbookKey": "ZoomReports",
- "logoFileName": "",
- "description": "Visualize various details & visuals on Zoom Report data ingested though the solution. This also have a dependency on the parser which is available as a part of Zoom solution named Zoom",
- "dataTypesDependencies": [ "Zoom" ],
- "dataConnectorsDependencies": ["Zoom Reports"],
- "previewImagesFileNames": [ "ZoomReportsBlack.png", "ZoomReportsWhite.png" ],
+ "workbookKey": "IslandAdminAuditOverview",
+ "logoFileName": "island.svg",
+ "description": "This workbook provides a view into the activities of administrators in the Island Management Console.",
+ "dataTypesDependencies": [],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "IslandEnterpriseBrowserAdminAuditOverview.png"
+ ],
"version": "1.0.0",
- "title": "Zoom Reports",
- "templateRelativePath": "ZoomReports.json",
+ "title": "Island Admin Audit Overview",
+ "templateRelativePath": "IslandAdminAuditOverview.json",
"subtitle": "",
- "provider": "Community"
+ "provider": "Island"
},
-{
- "workbookKey": "ExchangeOnlineWorkbook",
- "logoFileName": "office365_logo.svg",
- "description": "Gain insights into Microsoft Exchange online by tracing and analyzing all Exchange operations and user activities.\nThis workbook let you monitor user activities, including logins, account operations, permission changes, and mailbox creations to discover suspicious trends among them.",
- "dataTypesDependencies": [
- "OfficeActivity"
- ],
- "dataConnectorsDependencies": [
- "Office365"
- ],
- "previewImagesFileNames": [
- "ExchangeOnlineWhite.png",
- "ExchangeOnlineBlack.png"
- ],
- "version": "2.0.0",
- "title": "Exchange Online",
- "templateRelativePath": "ExchangeOnline.json",
- "subtitle": "",
- "provider": "Microsoft"
-},
-{
- "workbookKey": "Office365Workbook",
- "logoFileName": "office365_logo.svg",
- "description": "Gain insights into Office 365 by tracing and analyzing all operations and activities. You can drill down into your SharePoint, OneDrive, and Exchange.\nThis workbook lets you find usage trends across users, files, folders, and mailboxes, making it easier to identify anomalies in your network.",
- "dataTypesDependencies": [
- "OfficeActivity"
- ],
- "dataConnectorsDependencies": [
- "Office365"
- ],
- "previewImagesFileNames": [
- "Office365White1.png",
- "Office365Black1.png",
- "Office365White2.png",
- "Office365Black2.png",
- "Office365White3.png",
- "Office365Black3.png"
- ],
- "version": "2.0.1",
- "title": "Office 365",
- "templateRelativePath": "Office365.json",
- "subtitle": "",
- "provider": "Microsoft"
-},
-{
- "workbookKey": "SharePointAndOneDriveWorkbook",
- "logoFileName": "office365_logo.svg",
- "description": "Gain insights into SharePoint and OneDrive by tracing and analyzing all operations and activities.\nYou can view trends across user operation, find correlations between users and files, and identify interesting information such as user IP addresses.",
- "dataTypesDependencies": [
- "OfficeActivity"
- ],
- "dataConnectorsDependencies": [
- "Office365"
- ],
- "previewImagesFileNames": [
- "SharePointAndOneDriveBlack1.png",
- "SharePointAndOneDriveBlack2.png",
- "SharePointAndOneDriveWhite1.png",
- "SharePointAndOneDriveWhite2.png"
- ],
- "version": "2.0.0",
- "title": "SharePoint & OneDrive",
- "templateRelativePath": "SharePointAndOneDrive.json",
- "subtitle": "",
- "provider": "Microsoft"
-},
-{
- "workbookKey": "QualysVMWorkbook",
- "logoFileName": "qualys_logo.svg",
- "description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans",
- "dataTypesDependencies": [
- "QualysHostDetection_CL"
- ],
- "dataConnectorsDependencies": [
- "QualysVulnerabilityManagement"
- ],
- "previewImagesFileNames": [
- "QualysVMWhite.png",
- "QualysVMBlack.png"
- ],
- "version": "1.0.0",
- "title": "Qualys Vulnerability Management",
- "templateRelativePath": "QualysVM.json",
- "subtitle": "",
- "provider": "Qualys"
-},
-{
- "workbookKey": "QualysVMV2Workbook",
- "logoFileName": "qualys_logo.svg",
- "description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans",
- "dataTypesDependencies": [
- "QualysHostDetectionV2_CL"
- ],
- "dataConnectorsDependencies": [
- "QualysVulnerabilityManagement"
- ],
- "previewImagesFileNames": [
- "QualysVMWhite.png",
- "QualysVMBlack.png"
- ],
- "version": "1.0.0",
- "title": "Qualys Vulnerability Management",
- "templateRelativePath": "QualysVMv2.json",
- "subtitle": "",
- "provider": "Qualys"
-},
-
-{
- "workbookKey": "MicrosoftDefenderForOffice365",
- "logoFileName": "office365_logo.svg",
- "description": "Gain insights into your Microsoft Defender for Office 365 raw data logs. This workbook lets you look at trends in email senders, attachments and embedded URL data to find anomalies. You can also search by, sender, recipient, subject, attachment or embedded URL to find where the related messages have been sent.",
- "dataTypesDependencies": [
- "EmailEvents",
- "EmailUrlInfo",
- "EmailAttachmentInfo"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "MDOWhite1.png",
- "MDOBlack1.png",
- "MDOWhite2.png",
- "MDOBlack2.png"
- ],
- "version": "1.0.0",
- "title": "Microsoft Defender For Office 365",
- "templateRelativePath": "MicrosoftDefenderForOffice365.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
-},
-{
- "workbookKey": "MicrosoftDefenderForEndPoint",
- "logoFileName": "",
- "description": "A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "microsoftdefenderforendpointwhite.png",
- "microsoftdefenderforendpointblack.png"
- ],
- "version": "1.0.0",
- "title": "MicrosoftDefenderForEndPoint",
- "templateRelativePath": "MicrosoftDefenderForEndPoint.json",
- "subtitle": "",
- "provider": "Microsoft Sentinel Community"
-},
-{
- "workbookKey": "InsiderRiskManagementWorkbook",
- "logoFileName": "Azure_Sentinel.svg",
- "description": "The Microsoft Insider Risk Management Workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide \u201cGo to Alert\u201d links to provide deeper integration between products and a simplified user experience for exploring alerts. ",
- "dataTypesDependencies": [
- "SigninLogsSigninLogs",
- "AuditLogs",
- "AzureActivity",
- "OfficeActivity",
- "InformationProtectionLogs_CL",
- "SecurityIncident"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "InsiderRiskManagementBlack1.png"
- ],
- "version": "1.0.0",
- "title": "Insider Risk Management",
- "templateRelativePath": "InsiderRiskManagement.json",
- "subtitle": "",
- "provider": "Microsoft"
-},
-{
-"workbookKey": "Fortiweb-workbook",
-"logoFileName": "Azure_Sentinel.svg",
-"description": "This workbook depends on a parser based on a Kusto Function to work as expected [**Fortiweb**](https://aka.ms/sentinel-FortiwebDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.",
-"dataTypesDependencies": [
- "CommonSecurityLog"
-],
-"dataConnectorsDependencies": [
-"FortinetFortiWeb"
-],
-"previewImagesFileNames": [],
-"version": "1.0.0",
-"title": "Fortiweb-workbook",
-"templateRelativePath": "Fortiweb-workbook.json",
-"subtitle": "",
-"provider": "Microsoft"
-},
-{
- "workbookKey": "WebSessionEssentialsWorkbook",
- "logoFileName": "",
- "description": "The 'Web Session Essentials' workbook provides real-time insights into activity and potential threats in your network. This workbook is designed for network teams, security architects, analysts, and consultants to monitor, identify and investigate threats on Web servers, Web Proxies and Web Security Gateways assets. This Workbook gives a summary of analysed web traffic and helps with threat analysis and investigating suspicious http traffic.",
- "dataTypesDependencies": [],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [
- "WebSessionEssentialsWorkbookWhite.png",
- "WebSessionEssentialsWorkbookBlack.png"
- ],
- "version": "1.0.0",
- "title": "Web Session Essentials Workbook",
- "templateRelativePath": "WebSessionEssentials.json",
- "subtitle": "",
- "provider": "Microsoft"
-},
-{
- "workbookKey": "IslandAdminAuditOverview",
+ {
+ "workbookKey": "IslandUserActivityOverview",
"logoFileName": "island.svg",
- "description": "This workbook provides a view into the activities of administrators in the Island Management Console.",
+ "description": "This workbook provides a view into the activities of users while using the Island Enterprise Browser.",
"dataTypesDependencies": [],
"dataConnectorsDependencies": [],
"previewImagesFileNames": [
- "IslandEnterpriseBrowserAdminAuditOverview.png"
+ "IslandEnterpriseBrowserUserActivityOverview.png"
],
"version": "1.0.0",
- "title": "Island Admin Audit Overview",
- "templateRelativePath": "IslandAdminAuditOverview.json",
+ "title": "Island User Activity Overview",
+ "templateRelativePath": "IslandUserActivityOverview.json",
"subtitle": "",
"provider": "Island"
-},
-{
-"workbookKey": "IslandUserActivityOverview",
-"logoFileName": "island.svg",
-"description": "This workbook provides a view into the activities of users while using the Island Enterprise Browser.",
-"dataTypesDependencies": [],
-"dataConnectorsDependencies": [],
-"previewImagesFileNames": [
- "IslandEnterpriseBrowserUserActivityOverview.png"
-],
-"version": "1.0.0",
-"title": "Island User Activity Overview",
-"templateRelativePath": "IslandUserActivityOverview.json",
-"subtitle": "",
-"provider": "Island"
-},
-{
- "workbookKey": "BloodHoundEnterpriseAttackPathWorkbook",
- "description": "Gain insights into BloodHound Enterprise attack paths.",
- "dataTypesDependencies": [ "BloodHoundEnterprise" ],
- "dataConnectorsDependencies": [ "BloodHoundEnterprise" ],
- "version": "1.0",
- "title": "BloodHound Enterprise Attack Paths",
- "templateRelativePath": "BloodHoundEnterpriseAttackPath.json",
- "subtitle": "",
- "provider": "SpecterOps"
- },
- {
- "workbookKey": "BloodHoundEnterprisePostureWorkbook",
- "description": "Gain insights into BloodHound Enterprise domain posture.",
- "dataTypesDependencies": [ "BloodHoundEnterprise" ],
- "dataConnectorsDependencies": [ "BloodHoundEnterprise" ],
- "version": "1.0",
- "title": "BloodHound Enterprise Posture",
- "templateRelativePath": "BloodHoundEnterprisePosture.json",
- "subtitle": "",
- "provider": "SpecterOps"
},
{
- "workbookKey": "BitSightWorkbook",
- "logoFileName": "BitSight.svg",
- "description": "Gain insights into BitSight data.",
- "dataTypesDependencies": ["Alerts_data_CL", "Breaches_data_CL", "Company_details_CL", "Company_rating_details_CL", "Diligence_historical_statistics_CL", "Diligence_statistics_CL", "Findings_summary_CL", "Findings_data_CL", "Graph_data_CL", "Industrial_statistics_CL", "Observation_statistics_CL"],
- "dataConnectorsDependencies": ["BitSightDatConnector"],
- "previewImagesFileNames": ["BitSightWhite1.png","BitSightBlack1.png"],
- "version": "1.0.0",
- "title": "BitSight",
- "templateRelativePath": "BitSightWorkbook.json",
+ "workbookKey": "BloodHoundEnterpriseAttackPathWorkbook",
+ "description": "Gain insights into BloodHound Enterprise attack paths.",
+ "dataTypesDependencies": [ "BloodHoundEnterprise" ],
+ "dataConnectorsDependencies": [ "BloodHoundEnterprise" ],
+ "version": "1.0",
+ "title": "BloodHound Enterprise Attack Paths",
+ "templateRelativePath": "BloodHoundEnterpriseAttackPath.json",
+ "subtitle": "",
+ "provider": "SpecterOps"
+ },
+ {
+ "workbookKey": "BloodHoundEnterprisePostureWorkbook",
+ "description": "Gain insights into BloodHound Enterprise domain posture.",
+ "dataTypesDependencies": [ "BloodHoundEnterprise" ],
+ "dataConnectorsDependencies": [ "BloodHoundEnterprise" ],
+ "version": "1.0",
+ "title": "BloodHound Enterprise Posture",
+ "templateRelativePath": "BloodHoundEnterprisePosture.json",
+ "subtitle": "",
+ "provider": "SpecterOps"
+ },
+ {
+ "workbookKey": "BitSightWorkbook",
+ "logoFileName": "BitSight.svg",
+ "description": "Gain insights into BitSight data.",
+ "dataTypesDependencies": ["Alerts_data_CL", "Breaches_data_CL", "Company_details_CL", "Company_rating_details_CL", "Diligence_historical_statistics_CL", "Diligence_statistics_CL", "Findings_summary_CL", "Findings_data_CL", "Graph_data_CL", "Industrial_statistics_CL", "Observation_statistics_CL"],
+ "dataConnectorsDependencies": ["BitSightDatConnector"],
+ "previewImagesFileNames": ["BitSightWhite1.png","BitSightBlack1.png"],
+ "version": "1.0.0",
+ "title": "BitSight",
+ "templateRelativePath": "BitSightWorkbook.json",
+ "subtitle": "",
+ "provider": "BitSight"
+ },
+ {
+ "workbookKey": "VectraXDR",
+ "logoFileName": "",
+ "description": "This workbook provides visualization of Audit, Detections, Entity Scoring, Lockdown and Health data.",
+ "dataTypesDependencies": [
+ "Audits_Data_CL",
+ "Detections_Data_CL",
+ "Entity_Scoring_Data_CL",
+ "Lockdown_Data_CL",
+ "Health_Data_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "VectraDataConnector"
+ ],
+ "previewImagesFileNames": [
+ "VectraXDRWhite1.png",
+ "VectraXDRWhite2.png",
+ "VectraXDRWhite3.png",
+ "VectraXDRWhite4.png",
+ "VectraXDRWhite5.png",
+ "VectraXDRBlack1.png",
+ "VectraXDRBlack2.png",
+ "VectraXDRBlack3.png",
+ "VectraXDRBlack4.png",
+ "VectraXDRBlack5.png"
+ ],
+ "version": "1.0.0",
+ "title": "Vectra XDR",
+ "templateRelativePath": "VectraXDR.json",
+ "subtitle": "",
+ "provider": "Vectra"
+ },
+ {
+ "workbookKey": "CloudflareWorkbook",
+ "logoFileName": "cloudflare.svg",
+ "description": "Gain insights into Cloudflare events. You will get visibility on your Cloudflare web traffic, security, reliability.",
+ "dataTypesDependencies": [ "Cloudflare_CL" ],
+ "dataConnectorsDependencies": [ "CloudflareDataConnector" ],
+ "previewImagesFileNames": ["CloudflareOverviewWhite01.png", "CloudflareOverviewWhite02.png", "CloudflareOverviewBlack01.png", "CloudflareOverviewBlack02.png"],
+ "version": "1.0",
+ "title": "Cloudflare",
+ "templateRelativePath": "Cloudflare.json",
"subtitle": "",
- "provider": "BitSight"
+ "provider": "Cloudflare"
},
{
- "workbookKey": "VectraXDR",
- "logoFileName": "",
- "description": "This workbook provides visualization of Audit, Detections, Entity Scoring, Lockdown and Health data.",
+ "workbookKey": "CofenseIntelligenceWorkbook",
+ "logoFileName": "CofenseTriage.svg",
+ "description": "This workbook provides visualization of Cofense Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.",
"dataTypesDependencies": [
- "Audits_Data_CL",
- "Detections_Data_CL",
- "Entity_Scoring_Data_CL",
- "Lockdown_Data_CL",
- "Health_Data_CL"
+ "ThreatIntelligenceIndicator",
+ "Malware_Data"
],
"dataConnectorsDependencies": [
- "VectraDataConnector"
+ "CofenseIntelligenceDataConnector"
],
"previewImagesFileNames": [
- "VectraXDRWhite1.png",
- "VectraXDRWhite2.png",
- "VectraXDRWhite3.png",
- "VectraXDRWhite4.png",
- "VectraXDRWhite5.png",
- "VectraXDRBlack1.png",
- "VectraXDRBlack2.png",
- "VectraXDRBlack3.png",
- "VectraXDRBlack4.png",
- "VectraXDRBlack5.png"
+ "CofenseIntelligenceWhite1.png",
+ "CofenseIntelligenceBlack1.png"
],
- "version": "1.0.0",
- "title": "Vectra XDR",
- "templateRelativePath": "VectraXDR.json",
+ "version": "1.0",
+ "title": "CofenseIntelligenceThreatIndicators",
+ "templateRelativePath": "CofenseIntelligenceThreatIndicators.json",
"subtitle": "",
- "provider": "Vectra"
+ "provider": "Cofense"
},
{
- "workbookKey": "CloudflareWorkbook",
- "logoFileName": "cloudflare.svg",
- "description": "Gain insights into Cloudflare events. You will get visibility on your Cloudflare web traffic, security, reliability.",
- "dataTypesDependencies": [ "Cloudflare_CL" ],
- "dataConnectorsDependencies": [ "CloudflareDataConnector" ],
- "previewImagesFileNames": ["CloudflareOverviewWhite01.png", "CloudflareOverviewWhite02.png", "CloudflareOverviewBlack01.png", "CloudflareOverviewBlack02.png"],
- "version": "1.0",
- "title": "Cloudflare",
- "templateRelativePath": "Cloudflare.json",
- "subtitle": "",
- "provider": "Cloudflare"
-},
-{
- "workbookKey": "CofenseIntelligenceWorkbook",
- "logoFileName": "CofenseTriage.svg",
- "description": "This workbook provides visualization of Cofense Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.",
- "dataTypesDependencies": [
- "ThreatIntelligenceIndicator",
- "Malware_Data"
- ],
- "dataConnectorsDependencies": [
- "CofenseIntelligenceDataConnector"
- ],
- "previewImagesFileNames": [
- "CofenseIntelligenceWhite1.png",
- "CofenseIntelligenceBlack1.png"
- ],
- "version": "1.0",
- "title": "CofenseIntelligenceThreatIndicators",
- "templateRelativePath": "CofenseIntelligenceThreatIndicators.json",
+ "workbookKey": "EgressDefendMetricWorkbook",
+ "logoFileName": "",
+ "description": "A workbook providing insights into Egress Defend.",
+ "dataTypesDependencies": ["EgressDefend_CL"],
+ "previewImagesFileNames": [ "EgressDefendMetricWorkbookBlack01.png", "EgressDefendMetricWorkbookWhite01.png" ],
+ "version": "1.0.0",
+ "title": "Egress Defend Insights",
+ "templateRelativePath": "DefendMetrics.json",
+ "subtitle": "Defend Metrics",
+ "provider": "Egress Software Technologies"
+ },
+ {
+ "workbookKey": "SalemDashboard",
+ "logoFileName": "salem_logo.svg",
+ "description": "Monitor Salem Performance",
+ "dataTypesDependencies": [ "SalemAlerts_CL" ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "Salem Alerts Workbook",
+ "templateRelativePath": "SalemDashboard.json",
"subtitle": "",
- "provider": "Cofense"
-},
-{
- "workbookKey": "EgressDefendMetricWorkbook",
- "logoFileName": "",
- "description": "A workbook providing insights into Egress Defend.",
- "dataTypesDependencies": ["EgressDefend_CL"],
- "previewImagesFileNames": [ "EgressDefendMetricWorkbookBlack01.png", "EgressDefendMetricWorkbookWhite01.png" ],
- "version": "1.0.0",
- "title": "Egress Defend Insights",
- "templateRelativePath": "DefendMetrics.json",
- "subtitle": "Defend Metrics",
- "provider": "Egress Software Technologies"
+ "provider": "SalemCyber"
}
]
\ No newline at end of file