From 8e754bc86bea5932510452820528f9cacdd86232 Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Mon, 14 Oct 2024 12:00:00 +0530 Subject: [PATCH 1/2] Repackaged for updated in Analytical Rule --- .../SuspiciousProcessCreation.yaml | 35 +- .../Solution_MalwareProtectionEssentials.json | 2 +- .../Package/3.0.1.zip | Bin 0 -> 22521 bytes .../Package/mainTemplate.json | 500 +++++++++--------- 4 files changed, 267 insertions(+), 270 deletions(-) create mode 100644 Solutions/Malware Protection Essentials/Package/3.0.1.zip diff --git a/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml b/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml index af2a642b0a5..cbdc6568479 100644 --- a/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml +++ b/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml @@ -42,26 +42,23 @@ relevantTechniques: query: | _ASim_ProcessEvent | where EventType == 'ProcessCreated' - | extend CommandLineArgs = todynamic(array_slice(split(CommandLine, " "), 1, -1)) + | extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, " "), 1, -1), " ") | where strlen(CommandLineArgs) > 0 - | mv-apply CommandLineArgs on - ( - where CommandLineArgs contains "base64" - ) + | where CommandLineArgs contains "base64" | project - TimeGenerated, - DvcHostname, - DvcIpAddr, - DvcDomain, - TargetUsername, - TargetUsernameType, - TargetProcessName, - TargetProcessId, - CommandLine - | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername) - | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername) - | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username) - | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '') + TimeGenerated, + DvcHostname, + DvcIpAddr, + DvcDomain, + TargetUsername, + TargetUsernameType, + TargetProcessName, + TargetProcessId, + CommandLine + | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')), TargetUsername) + | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')), TargetUsername) + | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), Username) + | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), '') entityMappings: - entityType: Host fieldMappings: @@ -94,5 +91,5 @@ eventGroupingSettings: alertDetailsOverride: alertDisplayNameFormat: "Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})" alertDescriptionFormat: "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created." -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json b/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json index 9b2ae8d2858..c60bdcd7f72 100644 --- a/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json +++ b/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json @@ -28,7 +28,7 @@ ], "WorkbooksDescription": "This workbook provides details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions.", "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Malware Protection Essentials\\", - "Version": "3.0.0", + "Version": "3.0.1", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Malware Protection Essentials/Package/3.0.1.zip b/Solutions/Malware Protection Essentials/Package/3.0.1.zip new file mode 100644 index 0000000000000000000000000000000000000000..f6e72dbf7e2cdf73314422608c4a78d15dcd0591 GIT binary patch literal 22521 zcmX_`18`G zQ3ezY4G0Jb3P?jwUUS%vn*?=vA}M>E7Tv}?oaay& zF&be0kfR)3P9dabrfGdjzHuYGxh>UbbA2I*Vt;9`2Xjo4TuE%|fK~GFqV6pVFt=mv zI>5G{KmZlf7F%4J0{H!BjbxP!%I>y#76NE*7lwHS&v{BDp^p&r4w7A{sI)K;7ae|< zbgI2;Z#`@T7%{r+gwNORkNNoTf;o(l1!j5NGZizm!*{;ud}B zgkkXvB9{piJu<= z^o3EUdxIy`$Z`1mCKQ3Y;*4|^DFQVvoR=2Ef zTt2qo;~rwZV^_BC-fAcyHXk_Q)~*rU+}+-P=Tr-s7Y#yo;%(o&Z{+S=yL^6+u)_(7 z+P?Z*`+B>(8=E(FuU*@@EVr)IAE=7rfagt5=Z$=s_hx=~^pcPZmh zzk2ji#6A0cgKy}$|9*TuM(P#dN($2sQ_n#bAUJsW@#}VPbH!~YsJa2|dve2>TNe<( z)OwG~8)o#K^_}N?_4U^d`+@ms#|i7~6?O8z&_B5=Q3`x_rFlCW!RbwfI) zY3m;8vtiPQ9wbf)aPky7hqcIN1e@vu6Rm5O&LW4QcP0mh&p`U(K! zs5a!93p!fUQKJIl`Na+JG!FGO$I!U>O-2 zlmx~>L`WA2da8pRWI|F^e`&n~RSJ|l!AKhCkXI2Na`d%2&zYCjVa?NA_*V%w|4y`i z@08&GBSx3uw)#C1-N4G(j~~_J7>|M97OGYeb+`xjjMm};*QFKE0QU;v3copY{CWIV z9qhv=@vTE@TwEK#r&nRhY&g>-eQ@MR)o>dFDj<65jwN$w2h{FO0_^QyXp&4Tm>pJR zjJrw8KV8V`DHDcdOH6FZ3*NAz4K!uMdy7QO@oD@eI-n*$P(S-Ajn3oj0MC-v$`Z^* ziVF)zwBC}yK6?lR8VwG0*HCY8&z;4C)7i5 zYy%194WrT*A3PUkKHCfw5>;=tE4a`rlHPhNSZIe)HZiCQ0bCL8!#Knu*Ng<{M{K)N(4q7Afon=w7CtZ$FH(vPmH2hZ0001wj~n5D@U{2cWH_Si_;e!wV| zDWZXB!|fa4RciGbA19PS&HP?Ls(g}t2@~CtMEEg@ZYMtp zuivIoX*CF1Q!FqtFBW5#wDgr_as1RI^N@Q@=}R8PV6w736q3Z2E6y|ZTcWaJ-}Tqo zh4M7z#{fV}Ay>=X6Ke3+zw!MZW2pyFcp-;p%3&+APWk3p!SV*!ix`H}!-Wt{9MlXd zlQYGo!xJi)1zAIt*oN+e)g`?wH9Pd<9-hn_^Tz%aT_59y7pXad4{U++p)$}G)&Olj z+PgOlI@^UBgC`fP#W5Cf+@*9p+Z$AdR6z1DaEdjtt%(L1BPb>IDN~fQ{FNSN zude?wY*dtQtp2(^)Bz#v)T>;Q0Vha$p7@ogLUma`VoYz`ZA*+ucqd%WK?hT8j6l5=$#O}j@*4cS3pz_pXh9&rn0}ZmjvyEzSIv8C zdw1lUVH!Vj*M12jHUMZT<*9q5@KyAoE&n3*P0oOm#B0!D2eXE1;G2zSSBfnUHQ=wB z6vED~FBIPT7%#M1iSK^~O-OmOBjVdoluj}`J+T-=*bdwU37O40ZGxlxIOR79h!QrU z$3BWQ8WQXnm?jYAfNVF<53Yta3OagNIXP~z4S;fSbPS~G?l;e*&C^CG~oK;9frL~;S zo>q7FbBmfOo5ruCNz}xI0VkWQwSG-iW@{z|@nGcJ-yT(|DX2(Ny**0vp<=&ICGaOg zX($A)TRN}Ay-Vk=tAP3++&CyKx9MXsHv9N)fvK&ot$*EAI;vpd-S$8^y!u!IneRp< z!1!oW2^4<;&v?V0Q&HUl7sWj(IiXnu_bWh>B~VHQw--rbLbVZYGO~C}N0NN5Xe=`| z1ro)nR}0o?J!$BcQ}>N)B~=Kz9*Wu30Wg&5aXaq@G|jOJFpoa1R=?R!*zYTRlZ#1DJbXzF-3Uc*sg?5>IBXLCc0aR>G>U;Kq4azOJ$TQm~gs!~mR?)hv!7Z;fJ;GJ%>A3=@f!ZS@^ zAnv!EWu;$gP~)D@=2NM^Gt^78C9^DSIursOOTDcREWU&gV_DeUQODu`os%=nbEwN2V2Q_xFe{yg{)ap@ zSEbw#OW&(6$vWK9fOa@T!4wD`zb!YbRBzYbi&QDjU#NCl z>}Rxx(T7H}Q(ftwJ80Dt>^Er!Z>W<7AIBq-_b;qV{gR@(mdZLehK2AiWm(K>Fte7} z6ouj9b_4z;$3vR8j@Y7#Ah(Gt;Lhn+L&VY)Gxa{S878uci8wBX-B*Cs1HM|e4 zi4*QQ&$S_Rtg+nmZUNWwp+}HaUcSVh#@tX-^2Ohi&M2M;W%svzm%=#)Zug2NszYmi z8I2GJ_@2!-L@}Dq5 zu7OPTWiv6W>j42n${q%Ln(XyJZ$m8nbcA{ywttWSWd~q}`)03JUa~!(uP)1D7e7J{C(RkRpSg4B}*+D=dGk6Qd|bfjz8l zoF1|3d@>F3aefod)s67@^^snADf3%?thL<@9hO$NkfT>DqNk`bZ(oNWwMZsWbYi^R zk)XNCr5l1&OUIe_HQjB^!z<2R{qB-88N$s9to#Fmy+!+lB8*SA;{lf2#R1;R9E);U)^^@jFlxDozd1oq+8 zUMr?ax(9q}O)?1i>w?TDo#?f44ivvgp;0Ujbun=X$Zd@y?y)4}!Q4VN&ziy!OAr8_ z9x|_zj2l!6nZItS;&Lu@694rJ&=TbUtUK2Z%3)SD`-jK2{5yrT4hc@SI6iXv&R*c3 zoAKpFz|x(aIE#Q=;8XZmKdW+?WRz~M`Zy?4!5>AO9mYM^0BPu;eRLKk59yg>+G#!J zAqjRuV5`eKa_lnianLc~hKHmk>$6@NK1yZlY(_|h6z?l-Gm{oBV7TQav+xJqlbB613qFV>Z zz6?J0uf!xy56F4r!!GTH3B{RO9i8r_w;*Y=h`IdTsAIqgM#4ie^yPS#RB;r4s4YK# zckB7o8fRy~R6L%aCH?(RKG;)du$BDZ zp^>6TC=_Rfs+IebW3~5@jZhxv5RMZpEn3IB>+UI^jg^PYh=h^ni3`2m#0Op}DY6a3 z3ttvH9Nv$L9jU_o)^A!%vRr@Bo=B@%^U%bK9aM&ZYXO-<-2f2UAM1gNgD8`+tYxOsdqUBxm9%DqKL=6*YTg|8w*b z{smS_$IANxY|jH16=omW4*C#jS}ldZcL9%<&CH{b_nzGD%wP(HO-RomX6DbMGVpKK zGE|nWI~;x<2FgslN(?Z_R zm$uLQTH#3`M}aqW1Bj>bZM*H6Zr~3h|IPAwQu#_mvnYz8n0b-+^(^2ruZH)C8#AE` zb%BE`8$6Ez(4?up5wB1`9fMpi6B$I)Mm81vzsuA#6FpUGp=dK1j+3}HYZo^ARG;Af z-|&k6Uq|Bprz6$hllPvA0s(nPf&d}^(~)cqE$viHZ5?d>sY(B%AYJD8I&W|~_x;?+ z_JWRFMPDvAJ=xLZxJ;jLVkn?cDE!em&h+p>g4XnrP2f&!IFQ+z(W8}&Cj^(yC)JV% z*^VJe=reM!2fDjQeY?{C0WZk$N1SBJ*v&DwFvksD*j?K*bU8K%()E!eAA(1`-C@bY zP2VQ%LC0mkh{*-m<2;QNh?T^;Bc4H+FuOWPB79?cT=!mGHiF2`z@IhmL=ddz!XB|A zoZssE_zDZ#>>;tfLQtGi@xqSgB1-M7m)wAFQ;I^sm@Sl_g!Rh4aw$@x3`AxGzyKef zdr#B;2`OMygNorL=pLTNdxrM9@g`zgduk-i_q4eL;~_jInzxAbm2EDBf#v4PjTjsY zctzvG+E#!@!wl}Z(sS1BqulTn*}QO&t!1BIK*!q4K>d!*!J2qkqX^`9kh{;inJVe@ zhU`j~0W4?#Hqs0{+gQ*j&4FbQZ4A)(u;7GEkO>!~Mf0+V{0(I2Zxp--|0ID_D6lgW zg85a?;Y|D6jLna1gyvGaM56J_Ghmh?$c6(7x1t9 zY+8%Rbk96L=zElbXOU9lcailETal10(;$%`YB9$0?CgUbHiU-_TPOMpHxBc4kUC`} z&9c`t?JLFgzFocjL4n8+e(du_%b<YN_g89#-RoAsrM?G3Zs$i|%5Avc@EpS9o* zv8Zi2Y$=%BU0e{`u&sv!>!vq z6&(^(%>AcT2uY-^$KdxK6x5NIG3O|<<|?mFq4gmPq+59jr!no&ask9{P8V4u%vyv1jLT(M6-8P~72vhU<{ z#TWSc&R;x#|NK;5U9BKsSZHqOr*8E105yLq;muSUk5JM1*}r z+(Hc6QHo4^l_86*KG-f-Rw2>Omg8KaOwr8DHIw|XTq6FIt)czWFb2lJO21e>7HMmz z4bD0znoPt;o*<^Hw0(@_;VX){a5Y}F2H4{8O*A-^E?A+5IXHhIsZr_k1!rl)7_!kw z2Rk@_5LKBhzz}U}p%2jE55yGzTO+orz;gNTtVOHDqryu#X4^s?+@`fg(fgbu9svi8 zNL#ZXRAq84{y;TdNL}VHGU2x7f2%e~LG6VaLA9oZIB0icm`P>jhC3q_$?TL}iF*{f$^-BUvxB=~|g z=K)1qc6$dT2dAs&m{%QZ%%M;6gP6^oqebs!Ql;9%pb^vWL{&;XUQq5WXaiPi$xwUK z&mtOsOMVHrb z|GSmW|F&Xj2^D8vx9Rv5hjn*jN`tch6hebyG(h^#C&SLA^X4!NGy~Zf->SYH?NfdBfQ!azg6`jwr^!(H9W9FA}^9iMwhCf^E1zH9bfJWVC-g7S_RKuHD4OT~XPmYH8#7Plr6-MsK*8C8$VZ1J(K#LX>m5pm>- z0HZ|^cFnPJ)_+d7B{IaNHY<&S3cWWbHfi!qCI8K7p=*p~vc%b120)gGxQOpq;Ngs# zb*^16g|%tkQ2(rgQQWW$x!q2Ze?P2E2t&0@(No=tM5ECdTPDCrs0G94*Prjxr z)|Sb8b<@xr*zZpKBk$paDFgdFc>&l+!fZ&{o7rL{AlYA4sc0|jBo*snH)U=ZVX@^W zt;u1cnollE!Rj?EbwQ_unN=`vkIo|H4H_)J*;+@Z zyI^!vXQo0o?@-oWwXj>xs)n*+F5z!){+koeDh|XvW#IP|u)Nk^c;+mUod+{HF>P*{ zj6)?wY}PcE+@^LrEyp)J?N8pNE~mX+)8(&y*$rMDJ1vIsD9_7U@AiAwrPs0#cH85ri1*>t{+6)IVL0r>PIAkF&)3v1 zYTJ4kST#+#4BV$s^*$9H>ELl}Kjrn?BwCJ^39ohjYK16t1F89{^+Hr&vAaCdvF6|X zs|ZLOIB!S?=z&Z~+1(O;oBS3uE@oh!{2fFuV~)7s!X_Kwvk)%J*DjA%^spa1N7o zS>4CXa}Vqb4@|bJ)oSLzp^*H53aq(3`~yknpQ()qIU5# z;m4)5>iox0Z?mNWmwo>TbyHjTR2HBfI;HGq+u0`R`Ood!B~ACi`%v6O^#JbCzI0X? zJ;Xinnd@k0EWbY-6yD&*o^kRL0qUscOjy)--~}6!U;B%`{$^!T4`2H}-|ZTm-1qR; zPP&?zKBUVZ;FpH*<4_g2-m4@eH~CjCFLgtXU&4@ikNl=Ydmz{cyD)a?orwtkh>=Ac zW|(H8OlP)W6~(8xr#ZQ$sEpi2MKMI2ttRFS z%u4eQrQ5-=Jk|f+I|FR!(KKW4*fey7$#icY5yZpV(15T3(eIeN1s>C`7D4+Hw>Fy0 zI4j8J?wO|vKB5y?4v)S5I_@O4$FrC(m=FG*9aH~Wko9oMgh}7URS9uphIjJF6Z+!$ zt2qk}D#Pg=@6$JDl>?!cJPs0V^D+ozDO*dOd1jWCp#cVn2uoEoJ$(%isR@CeUJbol zhAtJ$z#E45#<{WYjx&^uBx|;MTI{IWOKqvP2%=n9v~Cc1ExvJ+!eGHD`O5-^`#B06 zt)55duNAg6%!jZ1y9&-T?{yjPY!8*zJC0+16UBJJEz`jcnADzq^j| zr0L}JXfEIitrlT9M1B>Ve4iUUgvRIvJx#rS(ZMx?^~ae<{7r;GjWHI+}mhv z5vlpBX<$_9;0V186*EumOm?0G-pwf3ht}u@q?~V z>e8h2{>|PHVN5pxClLt5>1G3)oL{&alN)z`G%~CyJCh-osQ*Hy8R<0k8yCT~JCREi zdU&2!)oR2Xhzw1p0qtD1VNTqTHC%nGK$v}YLj_5fj3i0{g}S=eL|$3Eo>U zn@P^TC4t8Yyg#KXKlxVO?y7kH91Y!CZAlRgAO}AR&Nqb}`V@dt6QzzsUA?$+*pn?D zUyxaWiq4X2_LOq@#S)c}qGqHr5SiJJBKEXiFRcdP-X@&pe23*(KB0N=(B zJ;-_e$8WuVWre@p%=l-;$3EB0L2^zwtcuu;k< z@TpFfYu>k{^}}b<$a^!T{N%?3VfDW(A!sQPdD?$!;JKfCGL7fX6V^o%oH7PpOS&g* zM&0ZQb%l||O>s>oGzuzz_3D-Ai`LGSOdw6IzzWBfQUM{IL~P4w+VSHin1w`vzom|p zrBm3w`HpD8ytg#;f|Zx}?=kB$T?#*>^hV8p^%hun2?5Zn0)Fo|>_)M$GdMf>iz;?$u9lxnnG5^NEAkQz z@d@PqD!F_?(?Yv-nEiA5M0x@10YXbMY3%no?S^~kv1*je^(Jl27VIU&30zqeiXH)1 zk}Gk61&)mN{))tXLG#MG_VD|01UIY1#aNg<;RUgR)uA#;9`@Vfn7LtT zb%Fv>lsJE$bQ*R>3MYBU@ zSUIfq5y>Pns9DZo9e$as$;C7WLUJ}{2y!-sQ!0hz>?g5_OfSl)Ss@>EXJ#{Tz>Zpf zd$Nx?@7Ot~Kixjsmo~9S*OF^GE1a`Yw3m-LCv5)~Nps4JkrJa-kAPdQq}I@9mW zWBz(j8E~w4X1H+5&f1euGvJAWlNCL@R59e47~d3Bm?-wWu`#!X-dLNrDeZ=CX%v7h zX|eQf3}9#)vb{Jd;d$7@Ft^b?KKu@MF|VwvoXMIA{swb7Va=5%m!!yQfCS)R?gzMR zgtwKL&rua&(Www~=MzDFtgwW>Qw5}>UW&pqQQ1kJ4zZf?M-+=1-bXOl4<|%gl1L12 zQ*-aFOOd4sF_647(sv>8gH=ggnue>Q=93ArRA>a`7LkD^O5PSQ@I3kh3r6;oYAI?W zIJ!HBTo(L@Kd}Pzz@dEBeZf^!R3`M@m=%rjEhYz|{|<;ha;@j)=RvYkOHv}muAwq1 zW9Cc>M`t+0xudbF1#BF{Y6UGHsmRsU_$GH320igf@0rr2DY-d={|rdei9OjC3PLF+Du=1%kU|9j(MKt#l zAP7#yR04-u`yDCBdv%5$qFE%06J!dmWYhUt1Kj473Y3NIW#^PK=RH$SF4sbNu<_% zF{Nvvq|wB>D4^YzPz4(Brwtw>YDqMKHHSQs6~LNiZy6owNlg@~@{yJjQTX&Ctlk$M zStTuc7_HnNKK_rCm+^n3U;@0M#TS<`6S|?JPt~>hY~F)7!KOuNcV@nW+k7sEu{P4U z+69P37U?fHAC6fH1b{_YVJ&Du&JL9IXBB%T3Qp!S`fQO5tc^N9PVL47W{F_DJI`lH zQ}G61o9Qex!QeGnL`ZP3lTJvSqqnRRBmd~(udUqmd;)Vv`8Bi2dzB>BJzE(jafMcev{s< zw{pxO*SDN%nDJIRr9?U8R8dr6h^MH?q#T_LL6}DnZ|wc)@#nua2NP2u*hry*$3Um~ z{`^s-gJCXFWslOSA0+fLz>WL8+Bo(kC^pu6-svZ%NBy14s4Od;o0Tbm)u?Bd=cx~97!QeG(GZyQ*mwZ~+6k(R+vDYq`BGO5yC_@d!SET$!z*0q3JwfFjO|+y-D-o8SlM1fjEwrRGU1Eg~N#?j>``7yx zTT;5_{P%nyy`cC%hfnB!c^)=A_(i7VIA;HPwQ3s*uYxfA%^dG5Y3&vG<^nX#_3wDu zRWHXtBan|K8pFKjLfu^6o2EY8DFHs1pX8lf?$&kfgS_?m5E9pKsehDxD!0?oszCqz zX$!%OTKY_4%{k6v{rO+Y_VWIt?5!03x~K+7_*X_+_?Tunh;T|ud!S#c%*VD+*)$4L zMUfDtH!7h@7x;&xG-Pye?A;o~*36X9kqE=|YWw8hFJ!JVc|(dkjy&iuXwI@k`|;=v z)JSZV%m;{ETDXVNvWTO3I^WI2Utg&>38$l*Zyb69(b$7Gu4Q|uI3*Rv+|6oUAj&=~ zQ)g4&AgqNTN#@wnM=3%n2#9ky)KV^sG8+``0q2wLR{QO4r*CsOj5kAmkr#s|d=kri z@OB%UUvM_EbDfNq6M<*I-pa+0Bya=UiW#hxlM{4FaRATeuL{z^h@?0;la9^G)8=%^ zZ@oz{5E_?iS_&FjpfP#=9^-1LYsF^R8xwS|`k80URE`%QH;8^#D;j3?chjtYEsIj8 z*GBnYOOJxL)2J$8Ek0u{E~lDm_mMGHnN)@@E?@7hlCh-T$}t5` z6=aUGkrF+WRT5(UFaMPOcdAI5xkD$eElHMi3z0qyId<{LO9b{R&|a8Jusjf9nqTVu zmwhbETIVu^Ilt9u;$Xf zm~u=tD9CBAnVDIjRbNMzOuLTxvI{s;W?T1&^0BChp3?vFZw=l^TYo6X4Jv=3c>gkr#IyNIs9zeVO#?()SAS;E8(=gg=9 zMRm>+f73t80UB#1I3h}oLie`;jF;OaxMpr+=)0Bo*!qu`${gEfo8jzS9%=#ykATxP z-W>-!*H-Zvx8ll@^T(>8)aJ7_CpfT*;9OM`MWg!6+?0}q$Ep(ZlY6=t0FwgQW0loU z1C^H>nVC6wV#`>KsOU8Buf&$BNqCn!o%I*7`B?KhSeGxv)w~#58%5aRM$g2S0x2zT zRMIQ(c9~rAY{3{%+)bTs>25@Z_%HwG8rODP9jRUzg=s_zZI!}G24&ZZSQ47Fh^sQv z6ZV5-SQMfN3AFM(u~goS>aSk=c7=v5Aju#!D#ZrlQLGM>2x1%qP>aVS&{Z@6Hg;@* zC48;s+lZj%+Hx-fD@5DWNl%l&jqPyQ?&Rj*?1M+Oss)G~ZSMmq9g(`_m8&T*M+cEl zv#M%*o&TgXkm3hnP!2oE)p<*t#8lym^h)rnh0Ln(e`S+&b`qIcX(RHFq-e*8_IP)+q;5A#LDPq87vW z1KF(%2a}oFe2pEA zWKL9{q}SJ|B96Foy5d+8r(KyXR|iBQPHizHhdPfu_;k+6Q0g;7R2^#uQcdQ^bkXt5 zS6UL7m?#41Gw}q|GZ``-8{}Wro#?4%qrH|*^K5z#2wAfm;!?1Vm|uXH_VkAqa0WJJ z)0t+8gEtmz>eTd1sud~jAvpy@3N#)1)c}9h>chxDyvNuV#Lz_>C#g)YGufSJACK~^ ziR3}P!J5T#^v=~L?{Ck`*`xHhnOxw;U6^BY;zYPcdmi%(iHfll6tg z(3Vm$-N4I{wmf=n5}%LJO-GLB^wF#}*K$F6v*C_+H{HPjKj+oxCW0HG3Ba4^s|!9q zp)_#ZfHaJ%zXjsoL9=bI=Tqqjr1u&bZtY+-D#+wfYW!qYv<_X8O!njgW@;XoD+IBw zE`!#J#ztEfn%Ib*vC}>-9S#s2JQOy?^T|<=5KA{LVzBGul@}0FadTe|xiWHkiQxNR zaNDfn?iern{di5}mZ!_`b{Q~tnBe4n$TTFb!R0*S@Myl{t6ssM!Wd*vf1iv*9ZI>k zxxv_39Q;+`2f>|=nE)3aE?$PYwMh#=i6Z=I&P_G^LEFy*`XJNE+sk}kfB3>7=Bl zs|%tMAe*EaJj$l)zI~of zfAnu~JdIS}J;SH$U~KC#`k^kRdU*c>qczRr6?>^}#cEY6*-6j-#*ql*;G@R>Z-4 zzUFEr{)_T=x~`#19IQj!WbmeS{jPZ!a%sjhB&924D^C&UU-th?B0NmIip)nKnbSP7hO+j_d+DC0aKQDoYW@P1lZ{4M`!-jIuv*Y%LQz!AIOy$3;J+`$3g4yiU+}}Rd z-Q7NU-3>u>HE)7s{VDf)vug==h0|1$r<6da_y!q$;{f3 z+&a{Tmu$7%JR`RJn9(_VEmkj}#`fni+Jmb&)V&Otod$4Z6?BG|vK=TR^oEzsPSRK@ z6FwN2on>C_WYOKaf4&jgc^?AbqVMD%mXyOTy^L~;}uUKX+rHn zD3|bzH=TmerolE^!!W~$m=dP7u7{PMSJ?x$nir4K6z+kpDLO`=^$hfo-%k3Pj`C^_ zUhnNEaK{8dXHxvJU4UPjG_4ZT#V)x;mzG~Q4nA*jDZG8p>17ooK3A}??61Q%g!SmDlcQjc3WeLt z6lXd<M~4fGnkTX$XHgz=M7M&AO`8fq0+#v%56sS_{Ly_m{X#+BI&WFkrRXIfXC!(P5d1L9hJKVcGwE%owoj|A31E2Om@c*tToL zOR3YNCr5$*FL6=eVoMWr7_iqcaGp97P&nK#00xrF&6+$nEJOYJXu@7jH}kFr9dQqo zUf;dyFQG1W8lRJa9ZxbMI{!k0clhfg=^(6X(o6Hj#*4{lYDEZ6?P}7Yd3st?9(gq! zY5&LZgqv22J~de4UyVJANWHT)sHjqkpZGm!Xpf@-udi&`Sg*~P`I)O(-fZ7&#ycz9 z7IA^MJ6Bf~_vD|V?@u4zpcf;>Ayq#An8R?bce}u4)jSwkAzD_aMalUbtY$#qNm8M))-y{wG_?pA5=@wav(l0#crq>*{S2A@6 zF0X^L4XE5z+=LQQu45-{-`N=sW?uyTR}6MBY?S|x7Tm|^858a#!0^aV|=LBfRn0%4*BOF<97_mKmW`4 zP;Z&n+ONAEye1Ew-S1Gpe|4VU(^u>Go4q8plmJ>;PR+`6T-#WUt{4u?VyaYif~6FT$gyQxLD8e6JX^WkFj ztURjp8&4(Qh?=oxAO%?k697aaa=I0@esnr_i|oFwm2rhH35v$I)UJ4)O{-e9TCYiY z3@lR@#%w6Ym5Rbzzm4G53rTcPH*Bc@+lipI94pX1cbs>?4dtL9YBpJg^IzAj9oHCy zpc)HBmxQ|ad9l+O7bzUk5@W=zCEWgo+vseilxT5AXwTqE{{npUYIsN?cu-y(P#=|C z<@50~O)(-8&2jzrz5uRVWU?!vL0(?YWdR;L<^p%wn0iG?Ijw*HXarjF_u;!prI8Bt z6=#Bug%?mWOb54jA5RcS2;ia;!j^E9zgF=@WF1i8O2?N`&NFIat7;dU&?oWIHU*vE zgyya(o-xUnqdSzXh@5Xlc#M0K#RAt0^L87)M_A#k^aB)oI7vv7cBNu2yf^$ys-VIr zp@rNomez$hyBy!D0_Btc)j}@D-6{Ll9w`av-2+eH7pDzfB@|EhHkCSVG!4LGr&GE= zKzlmc#54?Rp%ew4c^l|IrG08s6@#XwXFGqHx|AJ5f8vBYj;MngolYK=FJ(gh;1?x* zJ-)HrdcbV14tb-1x`N_zTis#5ihQX%UnW=|x!@t7HbPUILr$~RS6#lX*tL3h>$Pqy z39O=re*kpXf{9#(`p<2jRpUGG6V25bIMOgIg2A!Rc{m}gG$(ta}Ji^O6;xDC8Fw zh3^rlaI52L{mc*8Cua{QGa+NX-2$RRZ5l`X@Fy<+$~L%BPh8LgW-*G~Y0WX?A}su> zV3yAS>Zdtiz{I#CfxOMra17+IPX%7S+*#PLv)l(5V7DPLqdTlHtFeq{cX8GGmGex zOgFhU`{i8XWtfCzP;w1|ch52C=}SG5=)jiJk=(@<@!!q#<>2q1D{kQA&g~uM+uE5^ zWkdwtKHo$&X~30NQ^|p>SpKro%W~X09RsuVg)H#gYC7!ZV}A`eBFCtu>`wK8WOJ>+ zHRObnHgk;@`-&hEEtEPYn6JXH214ImtlBp6oVDQ(z5w`x`o&P8S|1}BmMDEVg^XRSPw;>I2LW-GKUwiyJ{HCGDi3qWx$& zNs$|k6uYv`hKMq@Jb(@}`)yO{3-mQ0SmCv_2mEy>x3> z0>vZAK~klO9HSxy_0-oOTqdF;na}C5#?yH)rKdER{!}_kOI^gAT_S)+Kg0wrGYdyW z9-`ZR`raOCp@#7Dqty~Io2&sGT#bQYUHUCEv$5c>Y{+*ko}aLiY57^xDQ`A+ZZGjW z&vP+uxFs=~ChJmmn~C(5T#s6X*UsIe`(@OHz!AI}Jr!p?UCDIIGF~ZK*X$gWI3c%^ zlj$6jQAFu~0GVeD#Bs8uNylpV>=;hrzV1RHKkQyHz;V#gJ ze`wzL@+6dOV~)*`X6edDVIE*b*D{aB96W%p#eoJ?GUi0JU9p9S$vHn%1BQboos!cY ztryEZWX9`C&$g0%ZF=*c_?xGz9G;qv_u2dNwsR$0fCoo+`k^KxfLLM$aDuxX4SWAc zV*jKOv|R^Bwi-37M4;_ZdagN`bQv2&-9XP+nc0_)(pwvNbT&=xasDRbws zg*OB%&UfLd{n(i5<8r0bfl(a9(mh$Nwofh*?T$r!*1Kt7Fx_%K$?PcVYXCEA$bm?Q z{9V8Ob$j2eWd!Q3!)lVg6Oc)X&HQNf(P%YQ*5a~M*GX4MFe@ekU)4UuYNgtLbz`*b zuZn(w_rksLH$cWtt?wmfeZCU{6Tn*B7tx_5U6r72Iy=|P=N#?XmB(}a>gl26e^ee& zTvky~^un<1uAlw+e)n58_fHU`6NUAp^z&{JA;{JITJjyq45(vk_(=9|Z+lH}_>$2VDH9O_|>3(APxEFu)ht>)+@N`*$b+DYh>sa4$bs;d|{Xu_4q2 zhEscwwob*HgVN09)&dsaLN#u^-D#nIk)0?|(;sgRlJ1|4${?1}yjknfX1E1yuE0*R z^S}=w*yq@rkKrwK0D0ZtpmcP*UvqKQ<6If-@_{MY!vV^t1o}?4`Q`9WLF<7W^8)+o zb2)GX60xx0aOa>Cv%2_?8jkh4;kRcbKlEM;!$$S40`#f0%R02qByw*EZB}AmQ0dg$ zh1PAY-w~_q_a!CxnlfKWmRPm2>eV>>M1?b^$ul$6hbqAp23;RXU9L9mgEh8uXoV4M z+ZB~dNxC_j4(&SV*mxOSw7+)`Qu;yYO^s74vy8F=JdoP%A(!bVlsGo;KB~7q=BM-| zlX3h+i1O*66gD~O!KQonN;9LD7K13STN!TTck(K&d#F~~nD~+@OZxV0v+m?at0e00 zBGM>4d3fyWm+n7`ZTmLham_R3rxj()H0#`apt@vdkoY^11v-!g+V7-XdeHGcWwEe? z=TOqDt=E9@X&;1zqvMCGRA95rWOz2eySFLT+*Zy|RFU`z4&?-0qTzy?EfFhD71DGK*2i2uuu1rQzEk-G zcZ!S`2GfWXeQI_VM)pAO+bm0*=NEF_Y>cl34Jz*7q$uCJ2-{Y6I|LR6G|#F9G&{cY z6$4K$6TRnG#9=z~)#_LBbRw(*UO~wlJVjzqw+9uzyWlv!^!eY8?*DR4dQ}~ZU3os; zNBI49R~anc2}B}8MX+|zk|lcuKXI(7pa1zZU+i5&{NcNDqWihLpRZA&zJ>l7LLwKx z4Z{(frvCQ6$7ssqn~arv?q{_4RUKP;K+i4hp0GK3^Ig}mH`X0;9rMnOuQ0b)(hmcd z1-bOK-UF~q05s3@+Qh?H;x$u0i8T1HvLYZNNX4isp3);H{&fnaF(^k-k)#OvOh>Koi7#fE?-P(*`>^FG1oL(g-vx?LqbA+ z?60e1vO%R~U%2hQO~cW@+X=2|1Q9Z#)<1H@a98SvAC|4#sA_*K!Qd@D)5r%u$ad z`$f79HKz{gym~U)b5))gKOHuxW&076u^g-Vz|R~tntG*zKsG)cb4G9!ytVE+@kArC zhJ+!`y$c5TzMrOwe=c>)mWie2i@xsb!DY`JppD-p?^6g+m2AwQOiS;XNOh?AcY?C| zZt$iey71Vz;Bbbyl@pD9jD$d#X=DwD7TvDQCJ6KS;x4iUG@3DO2;?j>S@_;yot4NQ zp%ASm3)LX`7d_M(EQfk%rJ9^;A@Vk`-iRZJ+Ox6a>FSATSBEZr;4pJwxxhD_a{h{V z%1qTTB>Veed2+RhJrjUiZ&~K5&p* zS+`WzJ}9lH{-fxJA75rEOr8#}s`YHfXMavEJ5Dp35ZR@CZu0|&xp9%dE?;IP7QWG* zc%uWTZ@|391RhFH1r%{?IWoJbGvIeMSyLvoDSwYj(M(YD*in{(x(M=WdwPa`I=kxH z#NJS*bRp`xE%HOf>t@MuC`MZ>gj{F%oY>@&M>K^tjngSl;88e@%FcB>RQHU1h(a8C<65+j9nVHv#?s1e!i=h1{G6|I*A5IL zJ48Ks$YCKJ^wadhz{0DZ4);#?Eo=^;@Dld1$WxBv?W!d^9i-*p;Nb>-FtgzNFuHU( zmc4fUe0Ixm(%a&m`tRGC=(nEaw7J7GW{qE&YpPQ;7^PD=}sQ$gp)=|#`VVdpJQU*it^l_XI;HF89nm~j&ure^@iJXvXtM#Urt19 zUcDT(YsNFr=*j=SQtKR~`Y<@J+MbxpB=NucB_DU?nrI_Z8;j)F~BfcBFb2R>Y013D&K86k-NoVWfI*$i@e2N0B_UcAp5DN|-i48c9tEuM-8JM7sgUvdAtkq6izkHkCkqlW zh~LlVCI~pZA`dS4UA`bwH$>SGEqldRU$4AxX@A3(-_u{Cti86iwchm6n>V`(?OImK z`|k&sjfE%`(=LiNkZ6bVa@Mk{?|9~_O!lQGGivxo?>1|}x#gQ898CR%6RfYZ(AE60 zW=h~2m{>^0KTpOz_jP;CoL3!%I#kX=8BuWegvQ`LWed>DCV!~1ZM>e>zD5X`)TZoE zlktyOrNIEh(garPNbXQ2tjZKyf8O@nW9KU1vyN7~$KqBe;Z-d5q8d^45#^D-`h#6l zbGX4MNwfys5_*@Vk0yH0)pK>O6aA7(jIw2V0y+MZ#X51$t=#?S>Ic6Ei(+!)4DJg6 zoLqI48gVzcz3<9a%=B-1-xqkM)BOwPs^Lv2wL%kzZd$f}DnpEKCKFZmp_N#^^%iWb zPU=H9i$m40P>lPlA7=|cT)^9@;Me|Y(Bz-Jyum|i$`IWg7xp1O{nDS`F$ozf? z-L2Y>%{4QeW9p=}o&DMs37E5LN+$scNGX`|NODyXgsOjb2N`+>B7AXMqP#WHL5Zyc zmF!Inrr=Mmc<#1vu)#jP=^W$u{Oyloff3!#{f#>jfVSLX9!8W6P0}datz57cd9(?r1@b( zM7>x!3!6|T*?ba`FNisv*IEOOM4ubWu8#Y1^YknT$hO^ivSOEQvt3ivQ-=5RCGW&UY)5%Xzeu3z}oQ_w?Ao$t;P97@9Ys6_RxE3o>5N z=5_eL!E07}rT8JTu@3%VXu1o*>ItRd4x_Dk7EX-c$HZ*#SONqrGh#=PIqV z(u^8Ah#z6{^nbjW zS3#+v6VE9pq)|j43wo0m8JofAmrHz+Q(m5KJLy6shgIH}W6U)-*8iKEU%S7`<;xM5 z=XGhR7X$BT8d8eZJ(4DVhEHu)b`RFT;B6fA@$#0cg*F?wY1J-!S9V)xn8t2Pw<|y3Ek7I z@8A9~$BtYd^k<7&7_qwAswNt%mXLCfF-WK8*UsVG#&EB5xjOiz= z9R`wYbO^_j0F{h6#pWUbPH%xT%n851t@)TqA=I<6z=H&{%z!QVSv5Sz_4m!HBFz#* z#lgKoEFD;*)rpc-?c}7z(!f*A*jpBWBD(Qc`4OQ)lkN9wlQDfC+s3ZpIz4WMkapqfQ;O@3SC6jk^ zIh8&rg1Zn*Q)3((SG(IN#?`N^)$t`lB^mU~J%48*AIW2z)O< z3o6F0mdKBxS^$ssAEEERwBuDJTTwqX;FFNUhku4itlz`RW)PLqog0u4w52-Q7twM^ zWI?Gyrq)Ag96aRw7iEUS2imeE;Aov4PR zJ)!7lL0{12Fl#*ST*;G_{>Cytw|PRv32c!O!QE`#lNc(QXhpAgswljnn3ubjw38v) z36PT15(R5ECgpT%#d9|>di83hzpcXurG~l(HSZROe~5wPt5?pz`>&(*ry8d|buDz2 zASV&2`2tkLQxx=<3M;IYSoUNbkGqm_HI%z*jcNdSv4Tvq-Z;3sjTG1KB=*`-X7I%F}#QOdva1<|~pShka*oIKvXlKBPh>#o$v*wFsr|~#a z$;br`=GGnA&$H&%OtQqW)zAD-;Z$_vQ~49~p%J%*d1I*5WG&FR5F>)%-<(niPTs7B z{}i-E6B)Rc8WA(G$`pmI2Dz!j1AlWrtOqK=Sg)E+d;ZU;^{~%BkVCV8jN->2nh3ncPnmpDV2^z)IP*kT2mq--H3kECkJkJf} z1Y~5ZV{V71q1#snIaFtT8q14QXpPI7|3@m3D39b2R71FA-61ySkKIU;93`JS&EAYe zVZkKktfF)azCYFF6}XHGF_<=qp`qTrWkP|K*4o=+(jFv=*`cv!B-hDK%NDjra)l49 z;+6z9Xl@6CF6G%vB}K{ZFy$HSI?@=!Dw!=Ur!$#!rv*)+V;Rb&ol9WWA{K!-pES2M z6~Z%0Ut%b&AZCpUL{~T0=nt=F)a+-K>;5(y1V-$lbsn-3eR0-7h-v%a0qK`VCl-nEz-W7a|s5Rm|!BG)Pn(ky#RzrvHPZxYIAspc@#x)Ixw zdVr66#y=rBl**it@m;aLp#xt=$)(NJxD91^rUt#riF^GrO$!cIVGX)RgGbx-^za*V z@Nksd3wSh6kMmYiL&(FRn#x`-Evi9jCT5;xHd zAnYZT!EdIM8|T1!Xyd#rFgY^@0#@>Ty*fn21`tXdKMrBEZtKv6R2QUa-7}+|pz5nr zOkl2;ASSJj4-Hf)$a3*4IYRfwKKg!(E+eg)C*FvgNA7BpRn8JlW<*H%Qp5gZCY2m#O<4q^Zssj?&%KIBxuOZIO zx+A4SMeLUOFiy=oMV)~&ADv+S#u9zBlG_`SyqP^fG4DRHK1Np=s-@0qIbfmokm#=%;n@QcdItFThBwHH-!K!#6la zG$6f;R;r=aYLhT-YS}(|dUJ39Nx0e7kyMrf4&?lSwV#0)A^qGbG3Q54eOx1I!@>S#i-C;mOl@7bo-sYd^VD>v2lF zzUiYN*JE6JjvRDG{&4ks(pZhTyA#{(2L&74dXVjwoN2~cH4ddxiGY~vKfgFgsLtAg zP)Pur^)b&4J~JI0>#A-ez^OIwc;77eY_;HARpS^?e-CTrIS8K&rb#aE{w_rl2QVCVn)n*1&%b$u&OD(wf(e)C!J?=1`Rvy9 zot)8yAXpWzy`RaLtUKlkv0+@jFo1Y7j&(O{ygeG$Gu3(i#$aC$9Hq7HcpLB{Y-9JM zC<|~H^}&=3>bB_SfNP<)hKMF2X_$s7ds-jf_O|?o66D7l@<${pJ_Wo_3rkKxfR&i-W)X-@%XTban2hLzUn<81=n zwymmZ2N8s;k4$ZJO%4z`d)kwC{-Pqn2ALf1lYPYcN(E>efhbL&orI7F%w*IOFQ#5L zXma*^Me;(-(157lw(mYRC!;hO+w8<~NJ_dB>ZzBN8f@1Oh)-Eeww>`dj3s#%F`&suL1!cUWS+^E%t~`Z%_nA*`92G)OtJ4j3G_XE|~x4EIJ)KtmW;XozFEE5MD17I3<*{i^k_NbwTI72gY_eX50E<;7w7b z48vEsV=FPE;0TL%BoO+*=l;p*~sY(*JHE_sZ`5U#t~1MO3u^NRVD%@M|{K`Ooja E0KabGCjbBd literal 0 HcmV?d00001 diff --git a/Solutions/Malware Protection Essentials/Package/mainTemplate.json b/Solutions/Malware Protection Essentials/Package/mainTemplate.json index 99a590341ff..ce74f166913 100644 --- a/Solutions/Malware Protection Essentials/Package/mainTemplate.json +++ b/Solutions/Malware Protection Essentials/Package/mainTemplate.json @@ -49,7 +49,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Malware Protection Essentials", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "azuresentinel.azure-sentinel-solution-malwareprotection", "_solutionId": "[variables('solutionId')]", "analyticRuleObject1": { @@ -67,11 +67,11 @@ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7edde3d4-9859-4a00-b93c-b19ddda55320','-', '1.0.0')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.0", + "analyticRuleVersion3": "1.0.1", "_analyticRulecontentId3": "fdbcc0eb-44fb-467e-a51d-a91df0780a81", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fdbcc0eb-44fb-467e-a51d-a91df0780a81')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fdbcc0eb-44fb-467e-a51d-a91df0780a81')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fdbcc0eb-44fb-467e-a51d-a91df0780a81','-', '1.0.0')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fdbcc0eb-44fb-467e-a51d-a91df0780a81','-', '1.0.1')))]" }, "analyticRuleObject4": { "analyticRuleVersion4": "1.0.0", @@ -145,7 +145,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "StartupRegistryModified_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "StartupRegistryModified_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -155,7 +155,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -173,46 +173,46 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CrowdStrikeFalconEndpointProtection" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne_CL" - ] + ], + "connectorId": "SentinelOne" }, { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" }, { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint_CL" - ] + ], + "connectorId": "CiscoSecureEndpoint" }, { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -228,16 +228,16 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Host" @@ -245,16 +245,16 @@ { "fieldMappings": [ { - "columnName": "Username", - "identifier": "Name" + "identifier": "Name", + "columnName": "Username" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -262,12 +262,12 @@ { "fieldMappings": [ { - "columnName": "ActingProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ActingProcessId" }, { - "columnName": "ActingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ActingProcessCommandLine" } ], "entityType": "Process" @@ -275,12 +275,12 @@ { "fieldMappings": [ { - "columnName": "RegHive", - "identifier": "Hive" + "identifier": "Hive", + "columnName": "RegHive" }, { - "columnName": "RegKey", - "identifier": "Key" + "identifier": "Key", + "columnName": "RegKey" } ], "entityType": "RegistryKey" @@ -288,16 +288,16 @@ { "fieldMappings": [ { - "columnName": "RegistryValue", - "identifier": "Name" + "identifier": "Name", + "columnName": "RegistryValue" }, { - "columnName": "RegistryValueData", - "identifier": "Value" + "identifier": "Value", + "columnName": "RegistryValueData" }, { - "columnName": "RegistryValueType", - "identifier": "ValueType" + "identifier": "ValueType", + "columnName": "RegistryValueType" } ], "entityType": "RegistryValue" @@ -363,7 +363,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PrintProcessersModified_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "PrintProcessersModified_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -373,7 +373,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -391,46 +391,46 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CrowdStrikeFalconEndpointProtection" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne_CL" - ] + ], + "connectorId": "SentinelOne" }, { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" }, { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint_CL" - ] + ], + "connectorId": "CiscoSecureEndpoint" }, { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -444,16 +444,16 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Host" @@ -461,16 +461,16 @@ { "fieldMappings": [ { - "columnName": "Username", - "identifier": "Name" + "identifier": "Name", + "columnName": "Username" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -478,12 +478,12 @@ { "fieldMappings": [ { - "columnName": "ActingProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ActingProcessId" }, { - "columnName": "ActingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ActingProcessCommandLine" } ], "entityType": "Process" @@ -491,12 +491,12 @@ { "fieldMappings": [ { - "columnName": "RegHive", - "identifier": "Hive" + "identifier": "Hive", + "columnName": "RegHive" }, { - "columnName": "RegKey", - "identifier": "Key" + "identifier": "Key", + "columnName": "RegKey" } ], "entityType": "RegistryKey" @@ -504,16 +504,16 @@ { "fieldMappings": [ { - "columnName": "RegistryValue", - "identifier": "Name" + "identifier": "Name", + "columnName": "RegistryValue" }, { - "columnName": "RegistryValueData", - "identifier": "Value" + "identifier": "Value", + "columnName": "RegistryValueData" }, { - "columnName": "RegistryValueType", - "identifier": "ValueType" + "identifier": "ValueType", + "columnName": "RegistryValueType" } ], "entityType": "RegistryValue" @@ -579,7 +579,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousProcessCreation_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "SuspiciousProcessCreation_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -589,14 +589,14 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { "description": "This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.", "displayName": "Process Creation with Suspicious CommandLine Arguments", "enabled": false, - "query": "_ASim_ProcessEvent\n| where EventType == 'ProcessCreated'\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\n| where strlen(CommandLineArgs) > 0\n| mv-apply CommandLineArgs on \n (\n where CommandLineArgs contains \"base64\"\n )\n| project\n TimeGenerated,\n DvcHostname,\n DvcIpAddr,\n DvcDomain,\n TargetUsername,\n TargetUsernameType,\n TargetProcessName,\n TargetProcessId,\n CommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[1]), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[0]), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')\n", + "query": "_ASim_ProcessEvent\n| where EventType == 'ProcessCreated'\n| extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, \" \"), 1, -1), \" \")\n| where strlen(CommandLineArgs) > 0\n| where CommandLineArgs contains \"base64\"\n| project\nTimeGenerated,\nDvcHostname,\nDvcIpAddr,\nDvcDomain,\nTargetUsername,\nTargetUsernameType,\nTargetProcessName,\nTargetProcessId,\nCommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), '')\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -607,46 +607,46 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CrowdStrikeFalconEndpointProtection" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne_CL" - ] + ], + "connectorId": "SentinelOne" }, { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" }, { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint_CL" - ] + ], + "connectorId": "CiscoSecureEndpoint" }, { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -661,16 +661,16 @@ { "fieldMappings": [ { - "columnName": "DvcHostname", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DvcHostname" }, { - "columnName": "DvcDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DvcDomain" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Host" @@ -678,8 +678,8 @@ { "fieldMappings": [ { - "columnName": "DvcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "DvcIpAddr" } ], "entityType": "IP" @@ -687,16 +687,16 @@ { "fieldMappings": [ { - "columnName": "Username", - "identifier": "Name" + "identifier": "Name", + "columnName": "Username" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -704,12 +704,12 @@ { "fieldMappings": [ { - "columnName": "TargetProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "TargetProcessId" }, { - "columnName": "CommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "CommandLine" } ], "entityType": "Process" @@ -775,7 +775,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BackupDeletionDetected_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "BackupDeletionDetected_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -785,7 +785,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -803,46 +803,46 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CrowdStrikeFalconEndpointProtection" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne_CL" - ] + ], + "connectorId": "SentinelOne" }, { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" }, { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint_CL" - ] + ], + "connectorId": "CiscoSecureEndpoint" }, { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -855,16 +855,16 @@ { "fieldMappings": [ { - "columnName": "DvcHostname", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DvcHostname" }, { - "columnName": "DvcDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DvcDomain" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Host" @@ -872,8 +872,8 @@ { "fieldMappings": [ { - "columnName": "DvcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "DvcIpAddr" } ], "entityType": "IP" @@ -881,16 +881,16 @@ { "fieldMappings": [ { - "columnName": "Username", - "identifier": "Name" + "identifier": "Name", + "columnName": "Username" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -898,12 +898,12 @@ { "fieldMappings": [ { - "columnName": "TargetProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "TargetProcessId" }, { - "columnName": "CommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "CommandLine" } ], "entityType": "Process" @@ -969,7 +969,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsUpdateDisabled_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "WindowsUpdateDisabled_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -979,7 +979,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -997,46 +997,46 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CrowdStrikeFalconEndpointProtection" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne_CL" - ] + ], + "connectorId": "SentinelOne" }, { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" }, { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint_CL" - ] + ], + "connectorId": "CiscoSecureEndpoint" }, { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -1049,16 +1049,16 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Host" @@ -1066,16 +1066,16 @@ { "fieldMappings": [ { - "columnName": "Username", - "identifier": "Name" + "identifier": "Name", + "columnName": "Username" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -1083,12 +1083,12 @@ { "fieldMappings": [ { - "columnName": "ActingProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ActingProcessId" }, { - "columnName": "ActingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ActingProcessCommandLine" } ], "entityType": "Process" @@ -1096,12 +1096,12 @@ { "fieldMappings": [ { - "columnName": "RegHive", - "identifier": "Hive" + "identifier": "Hive", + "columnName": "RegHive" }, { - "columnName": "RegKey", - "identifier": "Key" + "identifier": "Key", + "columnName": "RegKey" } ], "entityType": "RegistryKey" @@ -1109,16 +1109,16 @@ { "fieldMappings": [ { - "columnName": "RegistryValue", - "identifier": "Name" + "identifier": "Name", + "columnName": "RegistryValue" }, { - "columnName": "RegistryValueData", - "identifier": "Value" + "identifier": "Value", + "columnName": "RegistryValueData" }, { - "columnName": "RegistryValueType", - "identifier": "ValueType" + "identifier": "ValueType", + "columnName": "RegistryValueType" } ], "entityType": "RegistryValue" @@ -1184,7 +1184,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsAllowFirewallRuleAdded_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "WindowsAllowFirewallRuleAdded_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1194,7 +1194,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -1212,46 +1212,46 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CrowdStrikeFalconEndpointProtection" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SentinelOne", "dataTypes": [ "SentinelOne_CL" - ] + ], + "connectorId": "SentinelOne" }, { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" }, { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint_CL" - ] + ], + "connectorId": "CiscoSecureEndpoint" }, { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -1264,16 +1264,16 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Host" @@ -1281,16 +1281,16 @@ { "fieldMappings": [ { - "columnName": "Username", - "identifier": "Name" + "identifier": "Name", + "columnName": "Username" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -1298,12 +1298,12 @@ { "fieldMappings": [ { - "columnName": "ActingProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ActingProcessId" }, { - "columnName": "ActingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ActingProcessCommandLine" } ], "entityType": "Process" @@ -1311,12 +1311,12 @@ { "fieldMappings": [ { - "columnName": "RegHive", - "identifier": "Hive" + "identifier": "Hive", + "columnName": "RegHive" }, { - "columnName": "RegKey", - "identifier": "Key" + "identifier": "Key", + "columnName": "RegKey" } ], "entityType": "RegistryKey" @@ -1324,16 +1324,16 @@ { "fieldMappings": [ { - "columnName": "RegistryValue", - "identifier": "Name" + "identifier": "Name", + "columnName": "RegistryValue" }, { - "columnName": "RegistryValueData", - "identifier": "Value" + "identifier": "Value", + "columnName": "RegistryValueData" }, { - "columnName": "RegistryValueType", - "identifier": "ValueType" + "identifier": "ValueType", + "columnName": "RegistryValueType" } ], "entityType": "RegistryValue" @@ -1399,7 +1399,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewMaliciousScheduledTask_HuntingQueries Hunting Query with template version 3.0.0", + "description": "NewMaliciousScheduledTask_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -1484,7 +1484,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileCretaedInStartupFolder_HuntingQueries Hunting Query with template version 3.0.0", + "description": "FileCretaedInStartupFolder_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -1569,7 +1569,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FilesWithRansomwareExtensions_HuntingQueries Hunting Query with template version 3.0.0", + "description": "FilesWithRansomwareExtensions_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1654,7 +1654,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.0", + "description": "NewScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -1739,7 +1739,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SystemFilesModifiedByUser_HuntingQueries Hunting Query with template version 3.0.0", + "description": "SystemFilesModifiedByUser_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -1824,7 +1824,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExecutableInUncommonLocation_HuntingQueries Hunting Query with template version 3.0.0", + "description": "ExecutableInUncommonLocation_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -1927,7 +1927,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MalwareProtectionEssentialsWorkbook Workbook with template version 3.0.0", + "description": "MalwareProtectionEssentialsWorkbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -2011,12 +2011,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Malware Protection Essentials", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Malware Protection Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.

\n

Prerequisite :-

\n

Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.

\n
    \n
  1. Amazon Web Services
    2. \n
  2. Azure Firewall
    3. \n
  3. Azure Network Security Groups
    4. \n
  4. Check Point
    5. \n
  5. Cisco ASA
    6. \n
  6. Cisco Meraki Security Events
    7. \n
  7. Corelight
    8. \n
  8. Fortinet FortiGate
    9. \n
  9. Microsoft Defender for IoT
    10. \n
  10. Microsoft Defender for Cloud
    11. \n
  11. Microsoft Sysmon For Linux
    12. \n
  12. Windows Firewall
    13. \n
  13. Palo Alto PANOS
    14. \n
  14. Vectra AI Stream
    15. \n
  15. WatchGuard Firebox
    16. \n
  16. Zscaler Internet Access
    17. \n
\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Product solutions as described above
    2. \n
  2. Logic app for data summarization
    3. \n
\n

Recommendation :-

\n

It is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.

\n

Workbooks: 1, Analytic Rules: 6, Hunting Queries: 6, Watchlists: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Malware Protection Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.

\n

Prerequisite :-

\n

Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.

\n
    \n
  1. Amazon Web Services
    2. \n
  2. Azure Firewall
    3. \n
  3. Azure Network Security Groups
    4. \n
  4. Check Point
    5. \n
  5. Cisco ASA
    6. \n
  6. Cisco Meraki Security Events
    7. \n
  7. Corelight
    8. \n
  8. Fortinet FortiGate
    9. \n
  9. Microsoft Defender for IoT
    10. \n
  10. Microsoft Defender for Cloud
    11. \n
  11. Microsoft Sysmon For Linux
    12. \n
  12. Windows Firewall
    13. \n
  13. Palo Alto PANOS
    14. \n
  14. Vectra AI Stream
    15. \n
  15. WatchGuard Firebox
    16. \n
  16. Zscaler Internet Access
    17. \n
\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Product solutions as described above
    2. \n
  2. Logic app for data summarization
    3. \n
\n

Recommendation :-

\n

It is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.

\n

Workbooks: 1, Analytic Rules: 6, Hunting Queries: 6, Watchlists: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2104,7 +2104,7 @@ { "kind": "Watchlist", "contentId": "[variables('_Ransomware File Extensions')]", - "version": "3.0.0" + "version": "3.0.1" }, { "kind": "Workbook", From bb13ddf8a33af7b353cf107e81ae677d48ece03b Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Mon, 14 Oct 2024 13:29:17 +0530 Subject: [PATCH 2/2] Update SuspiciousProcessCreation.yaml --- .../Analytic Rules/SuspiciousProcessCreation.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml b/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml index cbdc6568479..e276982e5c8 100644 --- a/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml +++ b/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml @@ -55,10 +55,10 @@ query: | TargetProcessName, TargetProcessId, CommandLine - | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')), TargetUsername) - | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')), TargetUsername) - | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), Username) - | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), '') + | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername) + | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername) + | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username) + | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '') entityMappings: - entityType: Host fieldMappings: