![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/MailGuard365_logo.svg\"){kind=logo}
\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nStrengthen your Microsoft 365 email security against advanced zero-day phishing, ransomware & BEC attacks with MailGuard 365 enhanced email security. This Microsoft Sentinel Solution enables you to ingest threat data from MailGuard 365.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for MailGuard 365. You can get MailGuard 365 custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "workbooks",
+ "label": "Workbooks",
+ "subLabel": {
+ "preValidation": "Configure the workbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Workbooks",
+ "elements": [
+ {
+ "name": "workbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences."
+ }
+ },
+ {
+ "name": "workbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+ }
+ }
+ },
+ {
+ "name": "workbook1",
+ "type": "Microsoft.Common.Section",
+ "label": "MailGuard365",
+ "elements": [
+ {
+ "name": "workbook1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "MailGuard 365 Workbook"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "huntingqueries",
+ "label": "Hunting Queries",
+ "bladeTitle": "Hunting Queries",
+ "elements": [
+ {
+ "name": "huntingqueries-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view."
+ }
+ },
+ {
+ "name": "huntingqueries-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/hunting"
+ }
+ }
+ },
+ {
+ "name": "huntingquery1",
+ "type": "Microsoft.Common.Section",
+ "label": "MailGuard 365 - High Confidence Threats",
+ "elements": [
+ {
+ "name": "huntingquery1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Query searches for high confidence threats stopped by MailGuard 365. This hunting query depends on MailGuard365 data connector (MailGuard365 Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery2",
+ "type": "Microsoft.Common.Section",
+ "label": "MailGuard 365 - Phishing Threats",
+ "elements": [
+ {
+ "name": "huntingquery2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Query searches for phishing threats stopped by MailGuard 365. This hunting query depends on MailGuard365 data connector (MailGuard365 Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery3",
+ "type": "Microsoft.Common.Section",
+ "label": "MailGuard 365 - Malware Threats",
+ "elements": [
+ {
+ "name": "huntingquery3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Query searches for malware threats stopped by MailGuard 365. This hunting query depends on MailGuard365 data connector (MailGuard365 Parser or Table)"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/MailGuard 365/Package/mainTemplate.json b/Solutions/MailGuard 365/Package/mainTemplate.json
new file mode 100644
index 00000000000..18882df9e55
--- /dev/null
+++ b/Solutions/MailGuard 365/Package/mainTemplate.json
@@ -0,0 +1,812 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "MailGuard - support@mailguard365.com",
+ "comments": "Solution template for MailGuard 365"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "MailGuard365",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+ },
+ "variables": {
+ "email": "support@mailguard365.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "MailGuard 365",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "mailguardptylimited.microsoft-sentinel-solution-mailguard365",
+ "_solutionId": "[variables('solutionId')]",
+ "uiConfigId1": "MailGuard365",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "dataConnectorContentId1": "MailGuard365",
+ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "_dataConnectorId1": "[variables('dataConnectorId1')]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+ "dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "huntingQueryVersion1": "1.0.0",
+ "huntingQuerycontentId1": "5e3aa1a5-5b69-421e-a3ac-32b04cb10353",
+ "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
+ "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
+ "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
+ "huntingQueryVersion2": "1.0.0",
+ "huntingQuerycontentId2": "ee15ed10-d355-474e-b8ad-a8bbb76f6d38",
+ "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
+ "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]",
+ "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]",
+ "huntingQueryVersion3": "1.0.0",
+ "huntingQuerycontentId3": "daaae6ad-1fd0-4efa-b571-116689e67a20",
+ "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
+ "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]",
+ "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]",
+ "workbookVersion1": "1.0.0",
+ "workbookContentId1": "MailGuard365Workbook",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MailGuard 365 data connector with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "MailGuard 365",
+ "publisher": "MailGuard365",
+ "descriptionMarkdown": "MailGuard 365 Enhanced Email Security for Microsoft 365. Exclusive to the Microsoft marketplace, MailGuard 365 is integrated with Microsoft 365 security (incl. Defender) for enhanced protection against advanced email threats like phishing, ransomware and sophisticated BEC attacks.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "MailGuard365_Threats_CL",
+ "baseQuery": "MailGuard365_Threats_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All phishing threats stopped by MailGuard 365",
+ "query": "MailGuard365_Threats_CL \n | where Category == \"Phishing\""
+ },
+ {
+ "description": "All threats summarized by sender email address",
+ "query": "MailGuard365_Threats_CL \n | summarize count() by Sender_Email_s"
+ },
+ {
+ "description": "All threats summarized by category",
+ "query": "MailGuard365_Threats_CL \n | summarize count() by Category"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "MailGuard365_Threats_CL",
+ "lastDataReceivedQuery": "MailGuard365_Threats_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "MailGuard365_Threats_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "1. In the MailGuard 365 Console, click **Settings** on the navigation bar.\n2. Click the **Integrations** tab.\n3. Click the **Enable Microsoft Sentinel**.\n4. Enter your workspace id and primary key from the fields below, click **Finish**.\n5. For additional instructions, please contact MailGuard 365 support.",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId"
+ ],
+ "label": "Workspace ID"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "fillWith": [
+ "PrimaryKey"
+ ],
+ "label": "Primary Key"
+ },
+ "type": "CopyableLabel"
+ }
+ ],
+ "title": "Configure and connect MailGuard 365"
+ }
+ ],
+ "metadata": {
+ "id": "310bcb08-38be-4257-b4d5-035e1ae3f256",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "author": {
+ "name": "MailGuard 365"
+ },
+ "support": {
+ "name": "MailGuard 365",
+ "link": "https://www.mailguard365.com/support",
+ "tier": "developer"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MailGuard 365",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "MailGuard",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "MailGuard 365",
+ "email": "support@mailguard365.com",
+ "tier": "Partner",
+ "link": "https://www.mailguard365.com/support/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "MailGuard 365",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId1')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MailGuard 365",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "MailGuard",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "MailGuard 365",
+ "email": "support@mailguard365.com",
+ "tier": "Partner",
+ "link": "https://www.mailguard365.com/support/"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "MailGuard 365",
+ "publisher": "MailGuard365",
+ "descriptionMarkdown": "MailGuard 365 Enhanced Email Security for Microsoft 365. Exclusive to the Microsoft marketplace, MailGuard 365 is integrated with Microsoft 365 security (incl. Defender) for enhanced protection against advanced email threats like phishing, ransomware and sophisticated BEC attacks.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "MailGuard365_Threats_CL",
+ "baseQuery": "MailGuard365_Threats_CL"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "MailGuard365_Threats_CL",
+ "lastDataReceivedQuery": "MailGuard365_Threats_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "MailGuard365_Threats_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All phishing threats stopped by MailGuard 365",
+ "query": "MailGuard365_Threats_CL \n | where Category == \"Phishing\""
+ },
+ {
+ "description": "All threats summarized by sender email address",
+ "query": "MailGuard365_Threats_CL \n | summarize count() by Sender_Email_s"
+ },
+ {
+ "description": "All threats summarized by category",
+ "query": "MailGuard365_Threats_CL \n | summarize count() by Category"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "1. In the MailGuard 365 Console, click **Settings** on the navigation bar.\n2. Click the **Integrations** tab.\n3. Click the **Enable Microsoft Sentinel**.\n4. Enter your workspace id and primary key from the fields below, click **Finish**.\n5. For additional instructions, please contact MailGuard 365 support.",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId"
+ ],
+ "label": "Workspace ID"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "fillWith": [
+ "PrimaryKey"
+ ],
+ "label": "Primary Key"
+ },
+ "type": "CopyableLabel"
+ }
+ ],
+ "title": "Configure and connect MailGuard 365"
+ }
+ ],
+ "id": "[variables('_uiConfigId1')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MailGuard365HighConfidenceThreats_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "MailGuard_365_Hunting_Query_1",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "MailGuard 365 - High Confidence Threats",
+ "category": "Hunting Queries",
+ "query": "MailGuard365_Threats_CL\n| where Score_d > 20\n| extend MailMessage_0_NetworkMessageId = MessageId_s\n| extend MailMessage_0_Recipient = Email_s\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches for high confidence threats stopped by MailGuard 365."
+ },
+ {
+ "name": "tactics",
+ "value": "Reconnaissance"
+ },
+ {
+ "name": "techniques",
+ "value": "T1598"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+ "properties": {
+ "description": "MailGuard 365 Hunting Query 1",
+ "parentId": "[variables('huntingQueryId1')]",
+ "contentId": "[variables('_huntingQuerycontentId1')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MailGuard 365",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "MailGuard",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "MailGuard 365",
+ "email": "support@mailguard365.com",
+ "tier": "Partner",
+ "link": "https://www.mailguard365.com/support/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId1')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "MailGuard 365 - High Confidence Threats",
+ "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
+ "id": "[variables('_huntingQuerycontentProductId1')]",
+ "version": "[variables('huntingQueryVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName2')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MailGuard365PhishingThreats_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion2')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "MailGuard_365_Hunting_Query_2",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "MailGuard 365 - Phishing Threats",
+ "category": "Hunting Queries",
+ "query": "MailGuard365_Threats_CL\n| where Category == \"Phishing\"\n| extend MailMessage_0_NetworkMessageId = MessageId_s\n| extend MailMessage_0_Recipient = Email_s\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches for phishing threats stopped by MailGuard 365."
+ },
+ {
+ "name": "tactics",
+ "value": "InitialAccess,Reconnaissance,CredentialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1598,T1566"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+ "properties": {
+ "description": "MailGuard 365 Hunting Query 2",
+ "parentId": "[variables('huntingQueryId2')]",
+ "contentId": "[variables('_huntingQuerycontentId2')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MailGuard 365",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "MailGuard",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "MailGuard 365",
+ "email": "support@mailguard365.com",
+ "tier": "Partner",
+ "link": "https://www.mailguard365.com/support/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId2')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "MailGuard 365 - Phishing Threats",
+ "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
+ "id": "[variables('_huntingQuerycontentProductId2')]",
+ "version": "[variables('huntingQueryVersion2')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName3')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MailGuard365MalwareThreats_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion3')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "MailGuard_365_Hunting_Query_3",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "MailGuard 365 - Malware Threats",
+ "category": "Hunting Queries",
+ "query": "MailGuard365_Threats_CL\n| where Category == \"Malicious Attachment\"\n| extend MailMessage_0_NetworkMessageId = MessageId_s\n| extend MailMessage_0_Recipient = Email_s\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches for malware threats stopped by MailGuard 365."
+ },
+ {
+ "name": "tactics",
+ "value": "InitialAccess,Reconnaissance"
+ },
+ {
+ "name": "techniques",
+ "value": "T1592,T1589,T1590,T1591,T1189,T1190"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
+ "properties": {
+ "description": "MailGuard 365 Hunting Query 3",
+ "parentId": "[variables('huntingQueryId3')]",
+ "contentId": "[variables('_huntingQuerycontentId3')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion3')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MailGuard 365",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "MailGuard",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "MailGuard 365",
+ "email": "support@mailguard365.com",
+ "tier": "Partner",
+ "link": "https://www.mailguard365.com/support/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId3')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "MailGuard 365 - Malware Threats",
+ "contentProductId": "[variables('_huntingQuerycontentProductId3')]",
+ "id": "[variables('_huntingQuerycontentProductId3')]",
+ "version": "[variables('huntingQueryVersion3')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MailGuard365DashboardWorkbook Workbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('workbookVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
+ "location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "MailGuard 365 Workbook"
+ },
+ "properties": {
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## MailGuard 365\\n---\\n\\nMailGuard 365 Dashboard\"},\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"# Threat Count by Category\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MailGuard365_Threats_CL \\n| summarize Count=count() by Category\\n| render barchart\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"# Threat Origin by Country\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MailGuard365_Threats_CL\\n| summarize Count=count() by OriginCountry_s\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"tileSettings\":{\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"OriginCountry_s\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"Count\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"# Top targetted recipients\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MailGuard365_Threats_CL\\n| summarize Count=count() by Email_s\",\"size\":0,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"# Threat Count over time\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MailGuard365_Threats_CL\\n| summarize Count=count() by format_datetime(unixtime_seconds_todatetime(ReceivedDateTime_d), \\\"yyyy-MM-dd\\\")\\n| sort by Column1 asc\\n\",\"size\":0,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"name\":\"query - 8\"}],\"fromTemplateId\":\"mailguard365-UserWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+ "version": "1.0",
+ "sourceId": "[variables('workspaceResourceId')]",
+ "category": "sentinel"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "properties": {
+ "description": "@{workbookKey=MailGuard365Workbook; logoFileName=MailGuard365_logo.svg; description=MailGuard 365 Workbook; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=MailGuard365; templateRelativePath=MailGuard365Dashboard.json; subtitle=; provider=MailGuard 365}.description",
+ "parentId": "[variables('workbookId1')]",
+ "contentId": "[variables('_workbookContentId1')]",
+ "kind": "Workbook",
+ "version": "[variables('workbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MailGuard 365",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "MailGuard",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "MailGuard 365",
+ "email": "support@mailguard365.com",
+ "tier": "Partner",
+ "link": "https://www.mailguard365.com/support/"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "MailGuard365_Threats_CL",
+ "kind": "DataType"
+ },
+ {
+ "contentId": "MailGuard365",
+ "kind": "DataConnector"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "MailGuard 365",
+ "publisherDisplayName": "MailGuard 365",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nStrengthen your Microsoft 365 email security against advanced zero-day phishing, ransomware & BEC attacks with MailGuard 365 enhanced email security. This Microsoft Sentinel Solution enables you to ingest threat data from MailGuard 365.
\nData Connectors: 1, Workbooks: 1, Hunting Queries: 3
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "MailGuard 365",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "MailGuard",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "MailGuard 365",
+ "email": "support@mailguard365.com",
+ "tier": "Partner",
+ "link": "https://www.mailguard365.com/support/"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId1')]",
+ "version": "[variables('huntingQueryVersion1')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId2')]",
+ "version": "[variables('huntingQueryVersion2')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId3')]",
+ "version": "[variables('huntingQueryVersion3')]"
+ },
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2023-05-09",
+ "lastPublishDate": "2023-06-08",
+ "providers": [
+ "MailGuard"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Protection"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/MailGuard 365/ReleaseNotes.md b/Solutions/MailGuard 365/ReleaseNotes.md
new file mode 100644
index 00000000000..d44c5aa2db1
--- /dev/null
+++ b/Solutions/MailGuard 365/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|---------------------------------------------|
+| 3.0.0 | 31-08-2023 | Initial Version Release |
\ No newline at end of file
diff --git a/Solutions/MailGuard 365/SolutionMetadata.json b/Solutions/MailGuard 365/SolutionMetadata.json
new file mode 100644
index 00000000000..cb9c843521e
--- /dev/null
+++ b/Solutions/MailGuard 365/SolutionMetadata.json
@@ -0,0 +1,17 @@
+{
+ "publisherId": "mailguardptylimited",
+ "offerId": "microsoft-sentinel-solution-mailguard365",
+ "firstPublishDate": "2023-05-09",
+ "lastPublishDate": "2023-06-08",
+ "providers": ["MailGuard"],
+ "categories": {
+ "domains" : ["Security - Threat Protection"],
+ "verticals": []
+ },
+ "support": {
+ "name": "MailGuard 365",
+ "email": "support@mailguard365.com",
+ "tier": "Partner",
+ "link": "https://www.mailguard365.com/support/"
+ }
+}
\ No newline at end of file
diff --git a/Solutions/MailGuard 365/Workbooks/MailGuard365Dashboard.json b/Solutions/MailGuard 365/Workbooks/MailGuard365Dashboard.json
new file mode 100644
index 00000000000..f335f27f92f
--- /dev/null
+++ b/Solutions/MailGuard 365/Workbooks/MailGuard365Dashboard.json
@@ -0,0 +1,136 @@
+{
+ "version": "Notebook/1.0",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## MailGuard 365\n---\n\nMailGuard 365 Dashboard"
+ },
+ "name": "text - 2"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "# Threat Count by Category"
+ },
+ "name": "text - 4"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MailGuard365_Threats_CL \n| summarize Count=count() by Category\n| render barchart",
+ "size": 3,
+ "timeContext": {
+ "durationMs": 2592000000
+ },
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "piechart"
+ },
+ "name": "query - 2"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "# Threat Origin by Country"
+ },
+ "name": "text - 3"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MailGuard365_Threats_CL\n| summarize Count=count() by OriginCountry_s",
+ "size": 3,
+ "timeContext": {
+ "durationMs": 2592000000
+ },
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "map",
+ "tileSettings": {
+ "showBorder": false
+ },
+ "mapSettings": {
+ "locInfo": "CountryRegion",
+ "locInfoColumn": "OriginCountry_s",
+ "sizeSettings": "Count",
+ "sizeAggregation": "Sum",
+ "legendMetric": "Count",
+ "legendAggregation": "Sum",
+ "itemColorSettings": {
+ "nodeColorField": "Count",
+ "colorAggregation": "Sum",
+ "type": "heatmap",
+ "heatmapPalette": "greenRed"
+ }
+ },
+ "textSettings": {
+ "style": "bignumber"
+ }
+ },
+ "name": "query - 2"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "# Top targetted recipients"
+ },
+ "name": "text - 5"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MailGuard365_Threats_CL\n| summarize Count=count() by Email_s",
+ "size": 0,
+ "timeContext": {
+ "durationMs": 2592000000
+ },
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "gridSettings": {
+ "sortBy": [
+ {
+ "itemKey": "Count",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "Count",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "name": "query - 6"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "# Threat Count over time"
+ },
+ "name": "text - 7"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "MailGuard365_Threats_CL\n| summarize Count=count() by format_datetime(unixtime_seconds_todatetime(ReceivedDateTime_d), \"yyyy-MM-dd\")\n| sort by Column1 asc\n",
+ "size": 0,
+ "timeContext": {
+ "durationMs": 2592000000
+ },
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "barchart"
+ },
+ "name": "query - 8"
+ }
+ ],
+ "fromTemplateId": "mailguard365-UserWorkbook",
+ "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}
\ No newline at end of file
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index 49b6f7bb454..e0153c21a03 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -5492,5 +5492,22 @@
"templateRelativePath": "SalemDashboard.json",
"subtitle": "",
"provider": "SalemCyber"
+},
+{
+ "workbookKey": "MailGuard365Workbook",
+ "logoFileName": "MailGuard365_logo.svg",
+ "description": "MailGuard 365 Workbook",
+ "dataTypesDependencies": [
+ "MailGuard365_Threats_CL"
+ ],
+ "dataConnectorsDependencies": [
+ "MailGuard365"
+ ],
+ "previewImagesFileNames": [],
+ "version": "1.0.0",
+ "title": "MailGuard365",
+ "templateRelativePath": "MailGuard365Dashboard.json",
+ "subtitle": "",
+ "provider": "MailGuard 365"
}
]
\ No newline at end of file