diff --git a/Solutions/Azure Key Vault/Data/Solution_Azure Key Vault.json b/Solutions/Azure Key Vault/Data/Solution_Azure Key Vault.json
index dcd9becf56e..b0a458f3586 100644
--- a/Solutions/Azure Key Vault/Data/Solution_Azure Key Vault.json
+++ b/Solutions/Azure Key Vault/Data/Solution_Azure Key Vault.json
@@ -16,7 +16,7 @@
"Workbooks/AzureKeyVaultWorkbook.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Azure Key Vault",
- "Version": "3.0.2",
+ "Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"StaticDataConnectorIds": [
diff --git a/Solutions/Azure Key Vault/Package/3.0.3.zip b/Solutions/Azure Key Vault/Package/3.0.3.zip
new file mode 100644
index 00000000000..3d363788769
Binary files /dev/null and b/Solutions/Azure Key Vault/Package/3.0.3.zip differ
diff --git a/Solutions/Azure Key Vault/Package/createUiDefinition.json b/Solutions/Azure Key Vault/Package/createUiDefinition.json
index 1911cd6292c..611179ced7e 100644
--- a/Solutions/Azure Key Vault/Package/createUiDefinition.json
+++ b/Solutions/Azure Key Vault/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Key%20Vault/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Azure Key Vault](https://azure.microsoft.com/services/key-vault/) Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Key%20Vault/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Azure Key Vault](https://azure.microsoft.com/services/key-vault/) Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -166,7 +166,7 @@
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment \nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise"
+ "text": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise"
}
}
]
@@ -180,7 +180,7 @@
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052"
+ "text": "Identifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations from baseline Azure Key Vault access patterns.\nAny sudden increase in the count of Azure Key Vault accesses can be an indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052"
}
}
]
diff --git a/Solutions/Azure Key Vault/Package/mainTemplate.json b/Solutions/Azure Key Vault/Package/mainTemplate.json
index e2ee7101852..015ceca609d 100644
--- a/Solutions/Azure Key Vault/Package/mainTemplate.json
+++ b/Solutions/Azure Key Vault/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Azure Key Vault",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-azurekeyvault",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "AzureKeyVault",
@@ -61,18 +61,18 @@
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d6491be0-ab2d-439d-95d6-ad8ea39277c5','-', '1.0.4')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.7",
+ "analyticRuleVersion2": "1.0.8",
"_analyticRulecontentId2": "24f8c234-d1ff-40ec-8b73-96b17a3a9c1c",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '24f8c234-d1ff-40ec-8b73-96b17a3a9c1c')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('24f8c234-d1ff-40ec-8b73-96b17a3a9c1c')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','24f8c234-d1ff-40ec-8b73-96b17a3a9c1c','-', '1.0.7')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','24f8c234-d1ff-40ec-8b73-96b17a3a9c1c','-', '1.0.8')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.5",
+ "analyticRuleVersion3": "1.0.6",
"_analyticRulecontentId3": "0914adab-90b5-47a3-a79f-7cdcac843aa7",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0914adab-90b5-47a3-a79f-7cdcac843aa7')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0914adab-90b5-47a3-a79f-7cdcac843aa7')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0914adab-90b5-47a3-a79f-7cdcac843aa7','-', '1.0.5')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0914adab-90b5-47a3-a79f-7cdcac843aa7','-', '1.0.6')))]"
},
"analyticRuleObject4": {
"analyticRuleVersion4": "1.0.2",
@@ -100,7 +100,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Azure Key Vault data connector with template version 3.0.2",
+ "description": "Azure Key Vault data connector with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -259,7 +259,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "KeyVaultSensitiveOperations_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "KeyVaultSensitiveOperations_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -269,7 +269,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
- "apiVersion": "2022-04-01-preview",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -303,16 +303,16 @@
{
"fieldMappings": [
{
- "columnName": "AadUserId",
- "identifier": "AadUserId"
+ "identifier": "AadUserId",
+ "columnName": "AadUserId"
},
{
- "columnName": "Name",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "Name"
},
{
- "columnName": "UPNSuffix",
- "identifier": "UPNSuffix"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
}
],
"entityType": "Account"
@@ -320,8 +320,8 @@
{
"fieldMappings": [
{
- "columnName": "CallerIPMax",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "CallerIPMax"
}
],
"entityType": "IP"
@@ -380,7 +380,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "KeyvaultMassSecretRetrieval_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "KeyvaultMassSecretRetrieval_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -390,11 +390,11 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
- "apiVersion": "2022-04-01-preview",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment \nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise",
+ "description": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise",
"displayName": "Mass secret retrieval from Azure Key Vault",
"enabled": false,
"query": "let DistinctSecretsThreshold = 10;\nlet EventCountThreshold = 50;\n// To avoid any False Positives, filtering using AppId is recommended.\n// The AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\nlet AllowedAppId = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\",\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\"]);\nlet OperationList = dynamic([\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nAzureDiagnostics\n| where OperationName in (OperationList) and ResourceType =~ \"VAULTS\"\n| where not(identity_claim_appid_g in (AllowedAppId) and OperationName == 'VaultGet')\n| extend\n ResourceId,\n ResultType = column_ifexists(\"ResultType\", \"\"),\n identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"\"),\n identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s = column_ifexists(\"identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\", \"\"),\n identity_claim_oid_g = column_ifexists(\"identity_claim_oid_g\", \"\"),\n identity_claim_upn_s = column_ifexists(\"identity_claim_upn_s\", \"\")\n| extend\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\n| as _Retrievals\n| where CallerObjectId in (toscalar(\n _Retrievals\n | where ResultType == \"Success\"\n | summarize Count = dcount(requestUri_s) by OperationName, CallerObjectId\n | where Count > DistinctSecretsThreshold\n | summarize make_set(CallerObjectId,10000)\n))\n| extend\n requestUri_s = column_ifexists(\"requestUri_s\", \"\"),\n id_s = column_ifexists(\"id_s\", \"\"),\n CallerIPAddress = column_ifexists(\"CallerIPAddress\", \"\"),\n clientInfo_s = column_ifexists(\"clientInfo_s\", \"\")\n| summarize\n EventCount = count(),\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n ResourceList = make_set(Resource, 50),\n OperationNameList = make_set(OperationName, 50),\n RequestURLList = make_set(requestUri_s, 50),\n ResourceId = max(ResourceId),\n CallerIPList = make_set(CallerIPAddress, 50),\n clientInfo_sList = make_set(clientInfo_s, 50),\n CallerIPMax = max(CallerIPAddress)\n by ResourceType, ResultType, identity_claim_appid_g, CallerObjectId, CallerObjectUPN\n | where EventCount > EventCountThreshold\n| project-reorder StartTime, EndTime, EventCount, ResourceId,ResourceType,identity_claim_appid_g, CallerObjectId, CallerObjectUPN, ResultType, ResourceList, OperationNameList, RequestURLList, CallerIPList, clientInfo_sList\n| extend timestamp = EndTime\n",
@@ -424,8 +424,8 @@
{
"fieldMappings": [
{
- "columnName": "CallerObjectId",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "CallerObjectId"
}
],
"entityType": "Account"
@@ -433,8 +433,8 @@
{
"fieldMappings": [
{
- "columnName": "CallerIPMax",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "CallerIPMax"
}
],
"entityType": "IP"
@@ -493,7 +493,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TimeSeriesKeyvaultAccessAnomaly_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "TimeSeriesKeyvaultAccessAnomaly_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -503,11 +503,11 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
- "apiVersion": "2022-04-01-preview",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052",
+ "description": "Identifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations from baseline Azure Key Vault access patterns.\nAny sudden increase in the count of Azure Key Vault accesses can be an indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052",
"displayName": "Azure Key Vault access TimeSeries anomaly",
"enabled": false,
"query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 25;\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\nlet Allowedappid = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\"]);\nlet OperationList = dynamic(\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nlet TimeSeriesData = AzureDiagnostics\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n | where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| extend ResultType = column_ifexists(\"ResultType\", \"None\"), CallerIPAddress = column_ifexists(\"CallerIPAddress\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by CallerIPAddress;\n//Filter anomolies against TimeSeriesData\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project CallerIPAddress, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts since specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\n| join kind = innerunique (\nAzureDiagnostics\n| where TimeGenerated > ago(2d)\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend ResultType = column_ifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = column_ifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\"),identity_claim_oid_g = column_ifexists(\"identity_claim_oid_g\", \"\"),\n identity_claim_upn_s = column_ifexists(\"identity_claim_upn_s\", \"\")\n| extend\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\n| extend id_s = column_ifexists(\"id_s\", \"None\"), CallerIPAddress = column_ifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = column_ifexists(\"clientInfo_s\", \"None\")\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g, requestUri_s, clientInfo_s\n) on CallerIPAddress\n| extend\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\n| summarize EventCount=count(), OperationNameList = make_set(OperationName,1000), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(CallerObjectId, 100), AccountMax = arg_max(CallerObjectId,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\n| extend timestamp = LatestAnomalyTime\n",
@@ -537,8 +537,8 @@
{
"fieldMappings": [
{
- "columnName": "AccountMax",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountMax"
}
],
"entityType": "Account"
@@ -546,8 +546,8 @@
{
"fieldMappings": [
{
- "columnName": "CallerIPAddress",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "CallerIPAddress"
}
],
"entityType": "IP"
@@ -606,7 +606,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NRT_KeyVaultSensitiveOperations_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "NRT_KeyVaultSensitiveOperations_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -616,7 +616,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
- "apiVersion": "2022-04-01-preview",
+ "apiVersion": "2023-02-01-preview",
"kind": "NRT",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -646,16 +646,16 @@
{
"fieldMappings": [
{
- "columnName": "AadUserId",
- "identifier": "AadUserId"
+ "identifier": "AadUserId",
+ "columnName": "AadUserId"
},
{
- "columnName": "Name",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "Name"
},
{
- "columnName": "UPNSuffix",
- "identifier": "UPNSuffix"
+ "identifier": "UPNSuffix",
+ "columnName": "UPNSuffix"
}
],
"entityType": "Account"
@@ -663,8 +663,8 @@
{
"fieldMappings": [
{
- "columnName": "CallerIPMax",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "CallerIPMax"
}
],
"entityType": "IP"
@@ -723,7 +723,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AzureKeyVaultWorkbook Workbook with template version 3.0.2",
+ "description": "AzureKeyVaultWorkbook Workbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -815,12 +815,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Azure Key Vault",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nAzure Key Vault Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.
\nData Connectors: 1, Workbooks: 1, Analytic Rules: 4
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nAzure Key Vault Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.
\nData Connectors: 1, Workbooks: 1, Analytic Rules: 4
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
diff --git a/Solutions/Azure Key Vault/ReleaseNotes.md b/Solutions/Azure Key Vault/ReleaseNotes.md
index 415bb430e2c..aa377b06a6f 100644
--- a/Solutions/Azure Key Vault/ReleaseNotes.md
+++ b/Solutions/Azure Key Vault/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
-|-------------|--------------------------------|--------------------------------------------------------------------------|
+|-------------|--------------------------------|--------------------------------------------------------------------------|
+| 3.0.3 | 25-10-2024 | Updated description of CreateUi and **Analytic Rule** |
| 3.0.2 | 14-02-2024 | Updated Entity Mapping for KeyVaultSensitiveOperations and NRT_KeyVaultSensitiveOperations **Analytic Rules** to render the GUID information correctly|
| 3.0.1 | 01-02-2024 | Updated ObjectGuid Identifier with Name (KeyvaultMassSecretRetrieval) **Analytic Rule** to render the GUID information correctly|
| 3.0.0 | 03-01-2024 | Added field ResourceId in (KeyvaultMassSecretRetrieval) **Analytic Rule** for proper Entity Mapping|
diff --git a/Solutions/Azure SQL Database solution for sentinel/Data/Solution_AzureSQLDatabasesolutionforsentinel.json b/Solutions/Azure SQL Database solution for sentinel/Data/Solution_AzureSQLDatabasesolutionforsentinel.json
index 723b7d6fbe4..9b3b76b66a4 100644
--- a/Solutions/Azure SQL Database solution for sentinel/Data/Solution_AzureSQLDatabasesolutionforsentinel.json
+++ b/Solutions/Azure SQL Database solution for sentinel/Data/Solution_AzureSQLDatabasesolutionforsentinel.json
@@ -33,7 +33,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Azure SQL Database solution for sentinel",
- "Version": "2.0.2",
+ "Version": "3.0.0",
"TemplateSpec": true,
"StaticDataConnectorIds": [
"AzureSql"
diff --git a/Solutions/Azure SQL Database solution for sentinel/Package/3.0.0.zip b/Solutions/Azure SQL Database solution for sentinel/Package/3.0.0.zip
new file mode 100644
index 00000000000..c1f27fdb92d
Binary files /dev/null and b/Solutions/Azure SQL Database solution for sentinel/Package/3.0.0.zip differ
diff --git a/Solutions/Azure SQL Database solution for sentinel/Package/createUiDefinition.json b/Solutions/Azure SQL Database solution for sentinel/Package/createUiDefinition.json
index 634c34dc2f3..9eb10a7f8cc 100644
--- a/Solutions/Azure SQL Database solution for sentinel/Package/createUiDefinition.json
+++ b/Solutions/Azure SQL Database solution for sentinel/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AzureSQL.svg\"width=\"75px\"height=\"75px\")
\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Azure SQL Database](https://azure.microsoft.com/products/azure-sql/) solution for Microsoft Sentinel enables you to stream Azure SQL database audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. \r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor Resource Diagnostics ](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Azure SQL Database](https://azure.microsoft.com/products/azure-sql/) solution for Microsoft Sentinel enables you to stream Azure SQL database audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. \r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor Resource Diagnostics ](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the data connector for ingesting Azure SQL Database audit and diagnostic logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for Azure SQL Database solution for sentinel. You can get Azure SQL Database solution for sentinel custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
@@ -264,7 +264,7 @@
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database. The detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window \n (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies)."
+ "text": "Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database.\nThe detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies)."
}
}
]
@@ -278,7 +278,7 @@
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.\n The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window \n (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies)."
+ "text": "Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.\n The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies)."
}
}
]
diff --git a/Solutions/Azure SQL Database solution for sentinel/Package/mainTemplate.json b/Solutions/Azure SQL Database solution for sentinel/Package/mainTemplate.json
index c26dec754fb..cc6b49ef992 100644
--- a/Solutions/Azure SQL Database solution for sentinel/Package/mainTemplate.json
+++ b/Solutions/Azure SQL Database solution for sentinel/Package/mainTemplate.json
@@ -38,144 +38,151 @@
}
},
"variables": {
- "solutionId": "sentinel4sql.sentinel4sql",
- "_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
+ "_solutionName": "Azure SQL Database solution for sentinel",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "sentinel4sql.sentinel4sql",
+ "_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "AzureSQLSecurityWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
- "analyticRuleVersion1": "1.1.1",
- "analyticRulecontentId1": "daa32afa-b5b6-427d-93e9-e32f3f359dd7",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
- "analyticRuleVersion2": "1.1.1",
- "analyticRulecontentId2": "20f87813-3de0-4a9f-a8c0-6aaa3187be08",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]",
- "analyticRuleVersion3": "1.1.1",
- "analyticRulecontentId3": "c815008d-f4d1-4645-b13b-8b4bc188d5de",
- "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]",
- "analyticRuleVersion4": "1.1.1",
- "analyticRulecontentId4": "237c3855-138c-4588-a68f-b870abd3bfc9",
- "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
- "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]",
- "analyticRuleVersion5": "1.1.1",
- "analyticRulecontentId5": "3367fd5e-44b3-4746-a9a5-dc15c8202490",
- "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
- "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]",
- "analyticRuleVersion6": "1.1.1",
- "analyticRulecontentId6": "05030ca6-ef66-42ca-b672-2e84d4aaf5d7",
- "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
- "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]",
- "analyticRuleVersion7": "1.1.1",
- "analyticRulecontentId7": "dabd7284-004b-4237-b5ee-a22acab19eb2",
- "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
- "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]",
- "analyticRuleVersion8": "1.1.1",
- "analyticRulecontentId8": "c105513d-e398-4a02-bd91-54b9b2d6fa7d",
- "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
- "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]",
- "analyticRuleVersion9": "1.1.1",
- "analyticRulecontentId9": "2a632013-379d-4993-956f-615063d31e10",
- "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
- "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]",
- "analyticRuleVersion10": "1.1.1",
- "analyticRulecontentId10": "9851c360-5fd5-4bae-a117-b66d8476bf5e",
- "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
- "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
- "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]",
- "huntingQueryVersion1": "1.0.1",
- "huntingQuerycontentId1": "724c7010-0afe-4d46-95ab-32f6737e658b",
- "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
- "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
- "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]",
- "huntingQueryVersion2": "1.0.1",
- "huntingQuerycontentId2": "4cda0673-37f9-4765-af1f-556de2295cd7",
- "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
- "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
- "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]",
- "huntingQueryVersion3": "1.0.0",
- "huntingQuerycontentId3": "af55d5b0-6b4a-4874-8299-9d845bf7c1fd",
- "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
- "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
- "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]",
- "huntingQueryVersion4": "1.0.1",
- "huntingQuerycontentId4": "2a21303e-be48-404f-a6f6-883a6acfe5ad",
- "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
- "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
- "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]",
- "huntingQueryVersion5": "1.0.1",
- "huntingQuerycontentId5": "db5b0a77-1b1d-4a31-8ebb-c508ebc3bb38",
- "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]",
- "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]",
- "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]",
- "huntingQueryVersion6": "1.0.1",
- "huntingQuerycontentId6": "e0944dec-3c92-4b2d-8e81-a950afeaba69",
- "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]",
- "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]",
- "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]",
- "huntingQueryVersion7": "1.0.1",
- "huntingQuerycontentId7": "9670ac84-e035-47f5-8eb5-9d863a8a7893",
- "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]",
- "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]",
- "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]",
- "huntingQueryVersion8": "1.0.1",
- "huntingQuerycontentId8": "137tyi7c-7225-434b-8bfc-fea28v95ebd8",
- "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]",
- "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]",
- "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.1.1",
+ "_analyticRulecontentId1": "daa32afa-b5b6-427d-93e9-e32f3f359dd7",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'daa32afa-b5b6-427d-93e9-e32f3f359dd7')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('daa32afa-b5b6-427d-93e9-e32f3f359dd7')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','daa32afa-b5b6-427d-93e9-e32f3f359dd7','-', '1.1.1')))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "1.1.1",
+ "_analyticRulecontentId2": "20f87813-3de0-4a9f-a8c0-6aaa3187be08",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '20f87813-3de0-4a9f-a8c0-6aaa3187be08')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('20f87813-3de0-4a9f-a8c0-6aaa3187be08')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','20f87813-3de0-4a9f-a8c0-6aaa3187be08','-', '1.1.1')))]"
+ },
+ "analyticRuleObject3": {
+ "analyticRuleVersion3": "1.1.1",
+ "_analyticRulecontentId3": "c815008d-f4d1-4645-b13b-8b4bc188d5de",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c815008d-f4d1-4645-b13b-8b4bc188d5de')]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c815008d-f4d1-4645-b13b-8b4bc188d5de')))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c815008d-f4d1-4645-b13b-8b4bc188d5de','-', '1.1.1')))]"
+ },
+ "analyticRuleObject4": {
+ "analyticRuleVersion4": "1.1.1",
+ "_analyticRulecontentId4": "237c3855-138c-4588-a68f-b870abd3bfc9",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '237c3855-138c-4588-a68f-b870abd3bfc9')]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('237c3855-138c-4588-a68f-b870abd3bfc9')))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','237c3855-138c-4588-a68f-b870abd3bfc9','-', '1.1.1')))]"
+ },
+ "analyticRuleObject5": {
+ "analyticRuleVersion5": "1.1.1",
+ "_analyticRulecontentId5": "3367fd5e-44b3-4746-a9a5-dc15c8202490",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3367fd5e-44b3-4746-a9a5-dc15c8202490')]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3367fd5e-44b3-4746-a9a5-dc15c8202490')))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3367fd5e-44b3-4746-a9a5-dc15c8202490','-', '1.1.1')))]"
+ },
+ "analyticRuleObject6": {
+ "analyticRuleVersion6": "1.1.1",
+ "_analyticRulecontentId6": "05030ca6-ef66-42ca-b672-2e84d4aaf5d7",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '05030ca6-ef66-42ca-b672-2e84d4aaf5d7')]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('05030ca6-ef66-42ca-b672-2e84d4aaf5d7')))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','05030ca6-ef66-42ca-b672-2e84d4aaf5d7','-', '1.1.1')))]"
+ },
+ "analyticRuleObject7": {
+ "analyticRuleVersion7": "1.1.1",
+ "_analyticRulecontentId7": "dabd7284-004b-4237-b5ee-a22acab19eb2",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dabd7284-004b-4237-b5ee-a22acab19eb2')]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dabd7284-004b-4237-b5ee-a22acab19eb2')))]",
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dabd7284-004b-4237-b5ee-a22acab19eb2','-', '1.1.1')))]"
+ },
+ "analyticRuleObject8": {
+ "analyticRuleVersion8": "1.1.1",
+ "_analyticRulecontentId8": "c105513d-e398-4a02-bd91-54b9b2d6fa7d",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c105513d-e398-4a02-bd91-54b9b2d6fa7d')]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c105513d-e398-4a02-bd91-54b9b2d6fa7d')))]",
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c105513d-e398-4a02-bd91-54b9b2d6fa7d','-', '1.1.1')))]"
+ },
+ "analyticRuleObject9": {
+ "analyticRuleVersion9": "1.1.2",
+ "_analyticRulecontentId9": "2a632013-379d-4993-956f-615063d31e10",
+ "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2a632013-379d-4993-956f-615063d31e10')]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2a632013-379d-4993-956f-615063d31e10')))]",
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2a632013-379d-4993-956f-615063d31e10','-', '1.1.2')))]"
+ },
+ "analyticRuleObject10": {
+ "analyticRuleVersion10": "1.1.2",
+ "_analyticRulecontentId10": "9851c360-5fd5-4bae-a117-b66d8476bf5e",
+ "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9851c360-5fd5-4bae-a117-b66d8476bf5e')]",
+ "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9851c360-5fd5-4bae-a117-b66d8476bf5e')))]",
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9851c360-5fd5-4bae-a117-b66d8476bf5e','-', '1.1.2')))]"
+ },
+ "huntingQueryObject1": {
+ "huntingQueryVersion1": "1.0.1",
+ "_huntingQuerycontentId1": "724c7010-0afe-4d46-95ab-32f6737e658b",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('724c7010-0afe-4d46-95ab-32f6737e658b')))]"
+ },
+ "huntingQueryObject2": {
+ "huntingQueryVersion2": "1.0.1",
+ "_huntingQuerycontentId2": "4cda0673-37f9-4765-af1f-556de2295cd7",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4cda0673-37f9-4765-af1f-556de2295cd7')))]"
+ },
+ "huntingQueryObject3": {
+ "huntingQueryVersion3": "1.0.0",
+ "_huntingQuerycontentId3": "af55d5b0-6b4a-4874-8299-9d845bf7c1fd",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('af55d5b0-6b4a-4874-8299-9d845bf7c1fd')))]"
+ },
+ "huntingQueryObject4": {
+ "huntingQueryVersion4": "1.0.1",
+ "_huntingQuerycontentId4": "2a21303e-be48-404f-a6f6-883a6acfe5ad",
+ "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2a21303e-be48-404f-a6f6-883a6acfe5ad')))]"
+ },
+ "huntingQueryObject5": {
+ "huntingQueryVersion5": "1.0.1",
+ "_huntingQuerycontentId5": "db5b0a77-1b1d-4a31-8ebb-c508ebc3bb38",
+ "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('db5b0a77-1b1d-4a31-8ebb-c508ebc3bb38')))]"
+ },
+ "huntingQueryObject6": {
+ "huntingQueryVersion6": "1.0.1",
+ "_huntingQuerycontentId6": "e0944dec-3c92-4b2d-8e81-a950afeaba69",
+ "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e0944dec-3c92-4b2d-8e81-a950afeaba69')))]"
+ },
+ "huntingQueryObject7": {
+ "huntingQueryVersion7": "1.0.1",
+ "_huntingQuerycontentId7": "9670ac84-e035-47f5-8eb5-9d863a8a7893",
+ "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9670ac84-e035-47f5-8eb5-9d863a8a7893')))]"
+ },
+ "huntingQueryObject8": {
+ "huntingQueryVersion8": "1.0.1",
+ "_huntingQuerycontentId8": "137tyi7c-7225-434b-8bfc-fea28v95ebd8",
+ "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('137tyi7c-7225-434b-8bfc-fea28v95ebd8')))]"
+ },
"uiConfigId1": "AzureSql",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "AzureSql",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
- "dataConnectorVersion1": "1.0.0"
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+ "dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Workbook with template",
- "displayName": "Azure SQL Database solution for sentinel workbook template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Workbook-AzureSQLSecurityWorkbook Workbook with template version 2.0.2",
+ "description": "Workbook-AzureSQLSecurity Workbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -248,47 +255,40 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Analytics Rule 1 with template",
- "displayName": "Azure SQL Database solution for sentinel AR template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detection-ErrorsCredentialStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+ "description": "Detection-ErrorsCredentialStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId1')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -306,10 +306,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureSql",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureSql"
}
],
"tactics": [
@@ -320,7 +320,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -330,43 +329,44 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ClientIp"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "CloudApplication",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "ApplicationName"
}
- ]
+ ],
+ "entityType": "CloudApplication"
},
{
- "entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "ResourceId"
}
- ]
+ ],
+ "entityType": "AzureResource"
}
]
}
@@ -374,13 +374,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Analytics Rule 1",
- "parentId": "[variables('analyticRuleId1')]",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion1')]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -399,47 +399,40 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Analytics Rule 2 with template",
- "displayName": "Azure SQL Database solution for sentinel AR template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Credential errors stateful anomaly on database",
+ "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detection-ErrorsFirewallStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+ "description": "Detection-ErrorsFirewallStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion2')]",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId2')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -457,10 +450,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureSql",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureSql"
}
],
"tactics": [
@@ -471,7 +464,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -481,43 +473,44 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ClientIp"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "CloudApplication",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "ApplicationName"
}
- ]
+ ],
+ "entityType": "CloudApplication"
},
{
- "entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "ResourceId"
}
- ]
+ ],
+ "entityType": "AzureResource"
}
]
}
@@ -525,13 +518,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Analytics Rule 2",
- "parentId": "[variables('analyticRuleId2')]",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion2')]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -550,47 +543,40 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName3')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Analytics Rule 3 with template",
- "displayName": "Azure SQL Database solution for sentinel AR template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Firewall errors stateful anomaly on database",
+ "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detection-ErrorsSyntaxStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+ "description": "Detection-ErrorsSyntaxStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion3')]",
+ "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId3')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -608,10 +594,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureSql",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureSql"
}
],
"tactics": [
@@ -622,7 +608,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -632,43 +617,44 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ClientIp"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "CloudApplication",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "ApplicationName"
}
- ]
+ ],
+ "entityType": "CloudApplication"
},
{
- "entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "ResourceId"
}
- ]
+ ],
+ "entityType": "AzureResource"
}
]
}
@@ -676,13 +662,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Analytics Rule 3",
- "parentId": "[variables('analyticRuleId3')]",
- "contentId": "[variables('_analyticRulecontentId3')]",
+ "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion3')]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -701,47 +687,40 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName4')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Analytics Rule 4 with template",
- "displayName": "Azure SQL Database solution for sentinel AR template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Syntax errors stateful anomaly on database",
+ "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detection-HotwordsDropStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+ "description": "Detection-HotwordsDropStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion4')]",
+ "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId4')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -759,10 +738,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureSql",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureSql"
}
],
"tactics": [
@@ -773,7 +752,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -783,43 +761,44 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ClientIp"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "CloudApplication",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "ApplicationName"
}
- ]
+ ],
+ "entityType": "CloudApplication"
},
{
- "entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "ResourceId"
}
- ]
+ ],
+ "entityType": "AzureResource"
}
]
}
@@ -827,13 +806,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Analytics Rule 4",
- "parentId": "[variables('analyticRuleId4')]",
- "contentId": "[variables('_analyticRulecontentId4')]",
+ "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion4')]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -852,47 +831,40 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName5')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Analytics Rule 5 with template",
- "displayName": "Azure SQL Database solution for sentinel AR template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Drop attempts stateful anomaly on database",
+ "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detection-HotwordsExecutionStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+ "description": "Detection-HotwordsExecutionStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion5')]",
+ "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId5')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -910,10 +882,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureSql",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureSql"
}
],
"tactics": [
@@ -924,7 +896,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -934,43 +905,44 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ClientIp"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "CloudApplication",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "ApplicationName"
}
- ]
+ ],
+ "entityType": "CloudApplication"
},
{
- "entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "ResourceId"
}
- ]
+ ],
+ "entityType": "AzureResource"
}
]
}
@@ -978,13 +950,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Analytics Rule 5",
- "parentId": "[variables('analyticRuleId5')]",
- "contentId": "[variables('_analyticRulecontentId5')]",
+ "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion5')]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -1003,47 +975,40 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName6')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Analytics Rule 6 with template",
- "displayName": "Azure SQL Database solution for sentinel AR template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Execution attempts stateful anomaly on database",
+ "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detection-HotwordsFirewallRuleStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+ "description": "Detection-HotwordsFirewallRuleStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion6')]",
+ "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId6')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1061,10 +1026,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureSql",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureSql"
}
],
"tactics": [
@@ -1075,7 +1040,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -1085,43 +1049,44 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ClientIp"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "CloudApplication",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "ApplicationName"
}
- ]
+ ],
+ "entityType": "CloudApplication"
},
{
- "entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "ResourceId"
}
- ]
+ ],
+ "entityType": "AzureResource"
}
]
}
@@ -1129,13 +1094,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Analytics Rule 6",
- "parentId": "[variables('analyticRuleId6')]",
- "contentId": "[variables('_analyticRulecontentId6')]",
+ "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion6')]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -1154,47 +1119,40 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName7')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Analytics Rule 7 with template",
- "displayName": "Azure SQL Database solution for sentinel AR template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Firewall rule manipulation attempts stateful anomaly on database",
+ "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detection-HotwordsOLEObjectStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+ "description": "Detection-HotwordsOLEObjectStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion7')]",
+ "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId7')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1212,10 +1170,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureSql",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureSql"
}
],
"tactics": [
@@ -1226,7 +1184,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -1236,43 +1193,44 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ClientIp"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "CloudApplication",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "ApplicationName"
}
- ]
+ ],
+ "entityType": "CloudApplication"
},
{
- "entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "ResourceId"
}
- ]
+ ],
+ "entityType": "AzureResource"
}
]
}
@@ -1280,13 +1238,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Analytics Rule 7",
- "parentId": "[variables('analyticRuleId7')]",
- "contentId": "[variables('_analyticRulecontentId7')]",
+ "parentId": "[variables('analyticRuleObject7').analyticRuleId7]",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion7')]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -1305,47 +1263,40 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName8')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Analytics Rule 8 with template",
- "displayName": "Azure SQL Database solution for sentinel AR template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "OLE object manipulation attempts stateful anomaly on database",
+ "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detection-HotwordsOutgoingStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+ "description": "Detection-HotwordsOutgoingStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion8')]",
+ "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId8')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1363,10 +1314,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureSql",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureSql"
}
],
"tactics": [
@@ -1377,7 +1328,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -1387,43 +1337,44 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ClientIp"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "CloudApplication",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "ApplicationName"
}
- ]
+ ],
+ "entityType": "CloudApplication"
},
{
- "entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "ResourceId"
}
- ]
+ ],
+ "entityType": "AzureResource"
}
]
}
@@ -1431,13 +1382,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Analytics Rule 8",
- "parentId": "[variables('analyticRuleId8')]",
- "contentId": "[variables('_analyticRulecontentId8')]",
+ "parentId": "[variables('analyticRuleObject8').analyticRuleId8]",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion8')]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -1456,51 +1407,44 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName9')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Analytics Rule 9 with template",
- "displayName": "Azure SQL Database solution for sentinel AR template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Outgoing connection attempts stateful anomaly on database",
+ "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detection-VolumeAffectedRowsStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+ "description": "Detection-VolumeAffectedRowsStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion9')]",
+ "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId9')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database. The detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window \n (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies).",
+ "description": "Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database.\nThe detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies).",
"displayName": "Affected rows stateful anomaly on database",
"enabled": false,
"query": "let volumeThresholdZ = 3.0; // Minimal threshold for the Zscore to trigger anomaly (number of standard deviations above mean). If set higher, only very significant alerts will fire.\nlet volumeThresholdQ = volumeThresholdZ; // Minimal threshold for the Qscore to trigger anomaly (number of Inter-Percentile Ranges above high percentile). If set higher, only very significant alerts will fire.\nlet volumeThresholdHardcoded = 500; // Minimal value for the volume metric to trigger anomaly.\nlet detectionWindow = 1h; // The size of the recent detection window for detecting anomalies. \nlet trainingWindow = detectionWindow + 14d; // The size of the training window before the detection window for learning the normal state.\nlet monitoredColumn = 'AffectedRows'; // The name of the column for volumetric anomalies.\nlet processedData = materialize (\n AzureDiagnostics\n | where TimeGenerated >= ago(trainingWindow)\n | where Category == 'SQLSecurityAuditEvents' and action_id_s has_any (\"RCM\", \"BCM\") // Keep only SQL affected rows\n | project TimeGenerated, PrincipalName = server_principal_name_s, ClientIp = client_ip_s, HostName = host_name_s, ResourceId,\n ApplicationName = application_name_s, ActionName = action_name_s, Database = strcat(LogicalServerName_s, '/', database_name_s),\n IsSuccess = succeeded_s, AffectedRows = affected_rows_d,\n ResponseRows = response_rows_d, Statement = statement_s\n | extend QuantityColumn = column_ifexists(monitoredColumn, 0)\n | extend WindowType = case( TimeGenerated >= ago(detectionWindow), 'detection',\n (ago(trainingWindow) <= TimeGenerated and TimeGenerated < ago(detectionWindow)), 'training', 'other')\n | where WindowType in ('detection', 'training'));\nlet trainingSet =\n processedData\n | where WindowType == 'training'\n | summarize AvgVal = round(avg(QuantityColumn), 2), StdVal = round(stdev(QuantityColumn), 2), N = count(),\n P99Val = round(percentile(QuantityColumn, 99), 2), P50Val = round(percentile(QuantityColumn, 50), 2)\n by Database;\nprocessedData\n| where WindowType == 'detection'\n| join kind = inner (trainingSet) on Database\n| extend ZScoreVal = iff(N >= 20, round(todouble(QuantityColumn - AvgVal) / todouble(StdVal + 1), 2), 0.00),\n QScoreVal = iff(N >= 20, round(todouble(QuantityColumn - P99Val) / todouble(P99Val - P50Val + 1), 2), 0.00)\n| extend IsVolumeAnomalyOnVal = iff((ZScoreVal > volumeThresholdZ and QScoreVal > volumeThresholdQ and QuantityColumn > volumeThresholdHardcoded), true, false), AnomalyScore = round((ZScoreVal + QScoreVal)/2, 0)\n| project TimeGenerated, Database, PrincipalName, ClientIp, HostName, ApplicationName, ActionName, Statement,\n IsSuccess, ResponseRows, AffectedRows, IsVolumeAnomalyOnVal, AnomalyScore,ResourceId\n| where IsVolumeAnomalyOnVal == 'true'\n| sort by AnomalyScore desc, TimeGenerated desc\n| extend Name = tostring(split(PrincipalName,'@',0)[0]), UPNSuffix = tostring(split(PrincipalName,'@',1)[0])\n",
@@ -1514,10 +1458,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureSql",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureSql"
}
],
"tactics": [
@@ -1530,7 +1474,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -1540,43 +1483,44 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ClientIp"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "CloudApplication",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "ApplicationName"
}
- ]
+ ],
+ "entityType": "CloudApplication"
},
{
- "entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "ResourceId"
}
- ]
+ ],
+ "entityType": "AzureResource"
}
]
}
@@ -1584,13 +1528,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Analytics Rule 9",
- "parentId": "[variables('analyticRuleId9')]",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "parentId": "[variables('analyticRuleObject9').analyticRuleId9]",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion9')]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -1609,51 +1553,44 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('analyticRuleTemplateSpecName10')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Analytics Rule 10 with template",
- "displayName": "Azure SQL Database solution for sentinel AR template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Affected rows stateful anomaly on database",
+ "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detection-VolumeResponseRowsStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2",
+ "description": "Detection-VolumeResponseRowsStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion10')]",
+ "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId10')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.\n The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window \n (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies).",
+ "description": "Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.\n The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies).",
"displayName": "Response rows stateful anomaly on database",
"enabled": false,
"query": "let volumeThresholdZ = 3.0; // Minimal threshold for the Zscore to trigger anomaly (number of standard deviations above mean). If set higher, only very significant alerts will fire.\nlet volumeThresholdQ = volumeThresholdZ; // Minimal threshold for the Qscore to trigger anomaly (number of Inter-Percentile Ranges above high percentile). If set higher, only very significant alerts will fire.\nlet volumeThresholdHardcoded = 500; // Minimal value for the volume metric to trigger anomaly.\nlet detectionWindow = 1h; // The size of the recent detection window for detecting anomalies. \nlet trainingWindow = detectionWindow + 14d; // The size of the training window before the detection window for learning the normal state.\nlet monitoredColumn = 'ResponseRows'; // The name of the column for volumetric anomalies.\nlet processedData = materialize (\n AzureDiagnostics\n | where TimeGenerated >= ago(trainingWindow)\n | where Category == 'SQLSecurityAuditEvents' and action_id_s has_any (\"RCM\", \"BCM\") // Keep only SQL affected rows\n | project TimeGenerated, PrincipalName = server_principal_name_s, ClientIp = client_ip_s, HostName = host_name_s, ResourceId,\n ApplicationName = application_name_s, ActionName = action_name_s, Database = strcat(LogicalServerName_s, '/', database_name_s),\n IsSuccess = succeeded_s, AffectedRows = affected_rows_d,\n ResponseRows = response_rows_d, Statement = statement_s\n | extend QuantityColumn = column_ifexists(monitoredColumn, 0)\n | extend WindowType = case( TimeGenerated >= ago(detectionWindow), 'detection',\n (ago(trainingWindow) <= TimeGenerated and TimeGenerated < ago(detectionWindow)), 'training', 'other')\n | where WindowType in ('detection', 'training'));\nlet trainingSet =\n processedData\n | where WindowType == 'training'\n | summarize AvgVal = round(avg(QuantityColumn), 2), StdVal = round(stdev(QuantityColumn), 2), N = count(),\n P99Val = round(percentile(QuantityColumn, 99), 2), P50Val = round(percentile(QuantityColumn, 50), 2)\n by Database;\nprocessedData\n| where WindowType == 'detection'\n| join kind = inner (trainingSet) on Database\n| extend ZScoreVal = iff(N >= 20, round(todouble(QuantityColumn - AvgVal) / todouble(StdVal + 1), 2), 0.00),\n QScoreVal = iff(N >= 20, round(todouble(QuantityColumn - P99Val) / todouble(P99Val - P50Val + 1), 2), 0.00)\n| extend IsVolumeAnomalyOnVal = iff((ZScoreVal > volumeThresholdZ and QScoreVal > volumeThresholdQ and QuantityColumn > volumeThresholdHardcoded), true, false), AnomalyScore = round((ZScoreVal + QScoreVal)/2, 0)\n| project TimeGenerated, Database, PrincipalName, ClientIp, HostName, ApplicationName, ActionName, Statement,\n IsSuccess, ResponseRows, AffectedRows, IsVolumeAnomalyOnVal, AnomalyScore, ResourceId\n| where IsVolumeAnomalyOnVal == 'true'\n| sort by AnomalyScore desc, TimeGenerated desc\n| extend Name = tostring(split(PrincipalName,'@',0)[0]), UPNSuffix = tostring(split(PrincipalName,'@',1)[0])\n",
@@ -1667,10 +1604,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureSql",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureSql"
}
],
"tactics": [
@@ -1682,7 +1619,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -1692,43 +1628,44 @@
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ClientIp"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "CloudApplication",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "ApplicationName"
}
- ]
+ ],
+ "entityType": "CloudApplication"
},
{
- "entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "ResourceId"
}
- ]
+ ],
+ "entityType": "AzureResource"
}
]
}
@@ -1736,13 +1673,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Analytics Rule 10",
- "parentId": "[variables('analyticRuleId10')]",
- "contentId": "[variables('_analyticRulecontentId10')]",
+ "parentId": "[variables('analyticRuleObject10').analyticRuleId10]",
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion10')]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -1761,46 +1698,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Hunting Query 1 with template",
- "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Response rows stateful anomaly on database",
+ "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+ "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "HuntingQuery-AffectedRowAnomaly_HuntingQueries Hunting Query with template version 2.0.2",
+ "description": "HuntingQuery-AffectedRowAnomaly_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion1')]",
+ "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_1",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -1828,13 +1758,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Hunting Query 1",
- "parentId": "[variables('huntingQueryId1')]",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion1')]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -1853,53 +1783,46 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Hunting Query 2 with template",
- "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Anomalous Query Execution Time",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
+ "version": "1.0.1"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "HuntingQuery-BooleanBlindSQLi_HuntingQueries Hunting Query with template version 2.0.2",
+ "description": "HuntingQuery-BooleanBlindSQLi_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion2')]",
+ "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_2",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Boolean Blind SQL Injection",
"category": "Hunting Queries",
- "query": "let timeRange = 7d;\n//How frequently the query averages data for an average execution time\nlet timeSliceSize = 1h;\n//Anomaly decompose threshold, 2 by default\nlet scoreThreshold = 2;\nlet processedData = materialize (\n AzureDiagnostics\n | where TimeGenerated > ago(timeRange)\n | where Category == 'SQLSecurityAuditEvents' and action_id_s has_any (\"RCM\", \"BCM\") // Keep only SQL affected rows\n | project TimeGenerated, PrincipalName = server_principal_name_s, ClientIp = client_ip_s, HostName = host_name_s, ResourceId,\n ApplicationName = application_name_s, ActionName = action_name_s, Database = strcat(LogicalServerName_s, '/', database_name_s),\n IsSuccess = succeeded_s, DurationMs = duration_milliseconds_d, AffectedRows = affected_rows_d,\n ResponseRows = response_rows_d, Statement = statement_s,\n Error = case( additional_information_s has 'error_code', toint(extract(\"([0-9.]+)\", 1, additional_information_s))\n , additional_information_s has 'failure_reason', toint(extract(\"Err ([0-9.]+)\", 1, additional_information_s))\n , 0),\n State = case( additional_information_s has 'error_state', toint(extract(\"([0-9.]+)\", 1, additional_information_s))\n , additional_information_s has 'failure_reason', toint(extract(\"Err ([0-9.]+), Level ([0-9.]+)\", 2, additional_information_s))\n , 0),\n AdditionalInfo = additional_information_s, timeSlice = floor(TimeGenerated, timeSliceSize));\nlet queryData = processedData\n| where Statement contains \"=\"\n| extend extract_equals = extract_all(@\"([a-zA-Z0-9\\-\\']+\\s?=\\s?[a-zA-Z0-9\\-\\']+)\", Statement)\n| where extract_equals != \"\"\n| mv-expand extract_equals\n| extend left = tostring(split(extract_equals, \"=\", 0)[0])\n| extend right = tostring(split(extract_equals, \"=\", 1)[0]);\nlet cleanData = queryData\n| where left !has \"'\" and right !has \"'\";\n//Data has a quote in both sides, we need to parse this properly\n//We only care when the query is balanced e.g. '1'='1', so both sides will have a quote\n//This allows us to drop some results early\nlet quoteData = queryData\n| where left has \"'\" and right has \"'\"\n| extend extract_equals = extract_all(@\"(\\'.+\\'\\s?=\\s?\\'.+\\')\", Statement)\n| extend left = tostring(split(extract_equals, \"=\", 0)[0])\n| extend right = tostring(split(extract_equals, \"=\", 1)[0]);\ncleanData\n| union quoteData\n| where left == right\n| extend alertText = strcat(left, \"=\", right)\n| summarize AlertText=make_list(alertText, 10000) by TimeGenerated, Database, ClientIp, PrincipalName, Statement, ApplicationName, ResourceId\n| extend Name = tostring(split(PrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(PrincipalName, '@', 1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = ClientIp\n| extend Host_0_Hostname = HostName\n| extend CloudApplication_0_Name = ApplicationName\n| extend AzureResource_0_ResourceId = ResourceId\n",
+ "query": "let timeRange = 7d;\n//How frequently the query averages data for an average execution time\nlet timeSliceSize = 1h;\n//Anomaly decompose threshold, 2 by default\nlet scoreThreshold = 2;\nlet processedData = materialize (\n AzureDiagnostics\n | where TimeGenerated > ago(timeRange)\n | where Category == 'SQLSecurityAuditEvents' and action_id_s has_any (\"RCM\", \"BCM\") // Keep only SQL affected rows\n | project TimeGenerated, PrincipalName = server_principal_name_s, ClientIp = client_ip_s, HostName = host_name_s, ResourceId,\n ApplicationName = application_name_s, ActionName = action_name_s, Database = strcat(LogicalServerName_s, '/', database_name_s),\n IsSuccess = succeeded_s, DurationMs = duration_milliseconds_d, AffectedRows = affected_rows_d,\n ResponseRows = response_rows_d, Statement = statement_s,\n Error = case( additional_information_s has 'error_code', toint(extract(\"([0-9.]+)\", 1, additional_information_s))\n , additional_information_s has 'failure_reason', toint(extract(\"Err ([0-9.]+)\", 1, additional_information_s))\n , 0),\n State = case( additional_information_s has 'error_state', toint(extract(\"([0-9.]+)\", 1, additional_information_s))\n , additional_information_s has 'failure_reason', toint(extract(\"Err ([0-9.]+), Level ([0-9.]+)\", 2, additional_information_s))\n , 0),\n AdditionalInfo = additional_information_s, timeSlice = floor(TimeGenerated, timeSliceSize));\nlet queryData = processedData\n| where Statement contains \"=\"\n| extend extract_equals = extract_all(@\"([a-zA-Z0-9\\-\\']+\\s?=\\s?[a-zA-Z0-9\\-\\']+)\", Statement)\n| where extract_equals != \"\"\n| mv-expand extract_equals\n| extend left = tostring(split(extract_equals, \"=\", 0)[0])\n| extend right = tostring(split(extract_equals, \"=\", 1)[0]);\nlet cleanData = queryData\n| where left !has \"'\" and right !has \"'\";\n//Data has a quote in both sides, we need to parse this properly\n//We only care when the query is balanced e.g. '1'='1', so both sides will have a quote\n//This allows us to drop some results early\nlet quoteData = queryData\n| where left has \"'\" and right has \"'\"\n| extend extract_equals = extract_all(@\"(\\'.+\\'\\s?=\\s?\\'.+\\')\", Statement)\n| extend left = tostring(split(extract_equals, \"=\", 0)[0])\n| extend right = tostring(split(extract_equals, \"=\", 1)[0]);\ncleanData\n| union quoteData\n| where left == right\n| extend alertText = strcat(left, \"=\", right)\n| summarize AlertText=make_list(alertText, 10000) by TimeGenerated, Database, ClientIp, PrincipalName, Statement, ApplicationName, ResourceId, HostName\n| extend Name = tostring(split(PrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(PrincipalName, '@', 1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = ClientIp\n| extend Host_0_Hostname = HostName\n| extend CloudApplication_0_Name = ApplicationName\n| extend AzureResource_0_ResourceId = ResourceId\n",
"version": 2,
"tags": [
{
@@ -1920,13 +1843,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Hunting Query 2",
- "parentId": "[variables('huntingQueryId2')]",
- "contentId": "[variables('_huntingQuerycontentId2')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion2')]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -1945,46 +1868,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName3')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Hunting Query 3 with template",
- "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Boolean Blind SQL Injection",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.1')))]",
+ "version": "1.0.1"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "HuntingQuery-ExecutionTimeAnomaly_HuntingQueries Hunting Query with template version 2.0.2",
+ "description": "HuntingQuery-ExecutionTimeAnomaly_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion3')]",
+ "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_3",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2012,13 +1928,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Hunting Query 3",
- "parentId": "[variables('huntingQueryId3')]",
- "contentId": "[variables('_huntingQuerycontentId3')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion3')]",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -2037,46 +1953,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName4')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Hunting Query 4 with template",
- "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Anomalous Query Execution Time",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "HuntingQuery-PrevalenceBasedQuerySizeAnomaly_HuntingQueries Hunting Query with template version 2.0.2",
+ "description": "HuntingQuery-PrevalenceBasedQuerySizeAnomaly_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion4')]",
+ "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_4",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2104,13 +2013,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Hunting Query 4",
- "parentId": "[variables('huntingQueryId4')]",
- "contentId": "[variables('_huntingQuerycontentId4')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion4')]",
+ "version": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -2129,46 +2038,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName5')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Hunting Query 5 with template",
- "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Prevalence Based SQL Query Size Anomaly",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.1')))]",
+ "version": "1.0.1"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "HuntingQuery-SuspiciousStoredProcedures_HuntingQueries Hunting Query with template version 2.0.2",
+ "description": "HuntingQuery-SuspiciousStoredProcedures_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion5')]",
+ "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_5",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2196,13 +2098,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Hunting Query 5",
- "parentId": "[variables('huntingQueryId5')]",
- "contentId": "[variables('_huntingQuerycontentId5')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]",
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion5')]",
+ "version": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -2221,46 +2123,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName6')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Hunting Query 6 with template",
- "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Suspicious SQL Stored Procedures",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.1')))]",
+ "version": "1.0.1"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "HuntingQuery-TimeBasedQuerySizeAnomaly_HuntingQueries Hunting Query with template version 2.0.2",
+ "description": "HuntingQuery-TimeBasedQuerySizeAnomaly_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion6')]",
+ "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_6",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2288,13 +2183,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Hunting Query 6",
- "parentId": "[variables('huntingQueryId6')]",
- "contentId": "[variables('_huntingQuerycontentId6')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]",
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion6')]",
+ "version": "[variables('huntingQueryObject6').huntingQueryVersion6]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -2313,46 +2208,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName7')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Hunting Query 7 with template",
- "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Time Based SQL Query Size Anomaly",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.1')))]",
+ "version": "1.0.1"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "HuntingQuery-VolumeAffectedRowsStatefulAnomalyOnDatabase_HuntingQueries Hunting Query with template version 2.0.2",
+ "description": "HuntingQuery-VolumeAffectedRowsStatefulAnomalyOnDatabase_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion7')]",
+ "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_7",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2380,13 +2268,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Hunting Query 7",
- "parentId": "[variables('huntingQueryId7')]",
- "contentId": "[variables('_huntingQuerycontentId7')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]",
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion7')]",
+ "version": "[variables('huntingQueryObject7').huntingQueryVersion7]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -2405,46 +2293,39 @@
}
}
]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('huntingQueryTemplateSpecName8')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel Hunting Query 8 with template",
- "displayName": "Azure SQL Database solution for sentinel Hunting Query template"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Affected rows stateful anomaly on database - hunting query",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.1')))]",
+ "version": "1.0.1"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "HuntingQuery"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "HuntingQuery-VolumeResponseRowsStatefulAnomalyOnDatabase_HuntingQueries Hunting Query with template version 2.0.2",
+ "description": "HuntingQuery-VolumeResponseRowsStatefulAnomalyOnDatabase_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion8')]",
+ "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_8",
"location": "[parameters('workspace-location')]",
"properties": {
@@ -2472,13 +2353,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]",
"properties": {
"description": "Azure SQL Database solution for sentinel Hunting Query 8",
- "parentId": "[variables('huntingQueryId8')]",
- "contentId": "[variables('_huntingQuerycontentId8')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]",
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion8')]",
+ "version": "[variables('huntingQueryObject8').huntingQueryVersion8]",
"source": {
"kind": "Solution",
"name": "Azure SQL Database solution for sentinel",
@@ -2497,37 +2378,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Response rows stateful anomaly on database - hunting query",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.1')))]",
+ "version": "1.0.1"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "Azure SQL Database solution for sentinel data connector with template",
- "displayName": "Azure SQL Database solution for sentinel template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Azure SQL Database solution for sentinel data connector with template version 2.0.2",
+ "description": "Azure SQL Database solution for sentinel data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -2692,7 +2566,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -2717,12 +2591,23 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "Azure SQL Databases",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -2907,13 +2792,20 @@
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.2",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Azure SQL Database solution for sentinel",
+ "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Azure SQL Database solution for Microsoft Sentinel enables you to stream Azure SQL database audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\n- Azure Monitor Resource Diagnostics
\n
\nData Connectors: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 8
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "contentKind": "Solution",
+ "contentProductId": "[variables('_solutioncontentProductId')]",
+ "id": "[variables('_solutioncontentProductId')]",
+ "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -2941,93 +2833,93 @@
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId5')]",
- "version": "[variables('analyticRuleVersion5')]"
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId6')]",
- "version": "[variables('analyticRuleVersion6')]"
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId7')]",
- "version": "[variables('analyticRuleVersion7')]"
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId8')]",
- "version": "[variables('analyticRuleVersion8')]"
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId9')]",
- "version": "[variables('analyticRuleVersion9')]"
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId10')]",
- "version": "[variables('analyticRuleVersion10')]"
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId2')]",
- "version": "[variables('huntingQueryVersion2')]"
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId3')]",
- "version": "[variables('huntingQueryVersion3')]"
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId4')]",
- "version": "[variables('huntingQueryVersion4')]"
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
+ "version": "[variables('huntingQueryObject4').huntingQueryVersion4]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId5')]",
- "version": "[variables('huntingQueryVersion5')]"
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
+ "version": "[variables('huntingQueryObject5').huntingQueryVersion5]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId6')]",
- "version": "[variables('huntingQueryVersion6')]"
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
+ "version": "[variables('huntingQueryObject6').huntingQueryVersion6]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId7')]",
- "version": "[variables('huntingQueryVersion7')]"
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
+ "version": "[variables('huntingQueryObject7').huntingQueryVersion7]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId8')]",
- "version": "[variables('huntingQueryVersion8')]"
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
+ "version": "[variables('huntingQueryObject8').huntingQueryVersion8]"
},
{
"kind": "DataConnector",
diff --git a/Solutions/Azure SQL Database solution for sentinel/Package/testParameters.json b/Solutions/Azure SQL Database solution for sentinel/Package/testParameters.json
new file mode 100644
index 00000000000..f4f45342aa2
--- /dev/null
+++ b/Solutions/Azure SQL Database solution for sentinel/Package/testParameters.json
@@ -0,0 +1,32 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "Azure SQL Database Workbook",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+}
diff --git a/Solutions/Azure SQL Database solution for sentinel/ReleaseNotes.md b/Solutions/Azure SQL Database solution for sentinel/ReleaseNotes.md
new file mode 100644
index 00000000000..44c537020ef
--- /dev/null
+++ b/Solutions/Azure SQL Database solution for sentinel/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------------|
+| 3.0.0 | 25-10-2024 | Updated description of CreateUi and **Analytic Rule** |
\ No newline at end of file
diff --git a/Solutions/Bitglass/ReleaseNotes.md b/Solutions/Bitglass/ReleaseNotes.md
index 045a358b890..a9fd322af45 100644
--- a/Solutions/Bitglass/ReleaseNotes.md
+++ b/Solutions/Bitglass/ReleaseNotes.md
@@ -1,3 +1,3 @@
-| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
-|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 28-08-2024 | Updated the python runtime version to **3.11** |
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------------|
+| 3.0.0 | 21-10-2024 | Updated the python runtime version to **3.11** and updated functional URL|