diff --git a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DCR.json b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DCR.json index b63df9523f3..0ee790c46ab 100644 --- a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DCR.json +++ b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DCR.json @@ -1147,7 +1147,7 @@ "destinations": [ "clv2ws1" ], - "transformKql": "source\n | project TimeGenerated = detection_timestamp, Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence", + "transformKql": "source\n | project TimeGenerated = todatetime(detection_timestamp), Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence", "outputStream": "Custom-CarbonBlack_Alerts_CL" }, { @@ -1157,7 +1157,7 @@ "destinations": [ "clv2ws1" ], - "transformKql": "source \n| project TimeGenerated = create_time, DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists", + "transformKql": "source \n| project TimeGenerated = todatetime(create_time), DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists", "outputStream": "Custom-CarbonBlack_Watchlist_CL" }, { @@ -1167,7 +1167,7 @@ "destinations": [ "clv2ws1" ], - "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id) | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount = toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'", + "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id) | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount = toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'", "outputStream": "Microsoft-ASimAuthenticationEventLogs" }, { diff --git a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_PollingConfig.json b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_PollingConfig.json index 27f8d3b8519..5a92d1e206c 100644 --- a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_PollingConfig.json +++ b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_PollingConfig.json @@ -5,7 +5,7 @@ "kind": "AmazonWebServicesS3", "properties": { "connectorDefinitionName": "carbonBlackAWSS3", - "dataType": { + "dataTypes": { "logs": { "state": "enabled" } diff --git a/Solutions/VMware Carbon Black Cloud/Package/3.0.4.zip b/Solutions/VMware Carbon Black Cloud/Package/3.0.4.zip new file mode 100644 index 00000000000..e9f9d7437ac Binary files /dev/null and b/Solutions/VMware Carbon Black Cloud/Package/3.0.4.zip differ diff --git a/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json b/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json index 1a908fe95fb..38af927a5a4 100644 --- a/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json +++ b/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json @@ -64,7 +64,7 @@ } }, { - "name": "dataconnectors-link1", + "name": "dataconnectors-link2", "type": "Microsoft.Common.TextBlock", "options": { "link": { @@ -225,4 +225,4 @@ "workspace": "[basics('workspace')]" } } -} \ No newline at end of file +} diff --git a/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json b/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json index 9d8b76701b8..42538e6f27e 100644 --- a/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json +++ b/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json @@ -55,7 +55,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "VMware Carbon Black Cloud", - "_solutionVersion": "3.0.3", + "_solutionVersion": "3.0.4", "solutionId": "azuresentinel.azure-sentinel-solution-vmwarecarbonblack", "_solutionId": "[variables('solutionId')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", @@ -1648,7 +1648,7 @@ "destinations": [ "clv2ws1" ], - "transformKql": "source\n | project TimeGenerated = detection_timestamp, Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence", + "transformKql": "source\n | project TimeGenerated = todatetime(detection_timestamp), Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence", "outputStream": "Custom-CarbonBlack_Alerts_CL" }, { @@ -1658,7 +1658,7 @@ "destinations": [ "clv2ws1" ], - "transformKql": "source \n| project TimeGenerated = create_time, DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists", + "transformKql": "source \n| project TimeGenerated = todatetime(create_time), DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists", "outputStream": "Custom-CarbonBlack_Watchlist_CL" }, { @@ -1668,7 +1668,7 @@ "destinations": [ "clv2ws1" ], - "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id) | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount = toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'", + "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id) | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount = toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'", "outputStream": "Microsoft-ASimAuthenticationEventLogs" }, { @@ -2534,6 +2534,9 @@ }, "type": "object" }, + "streamName": { + "type": "array" + }, "roleArn": { "defaultValue": "roleArn", "type": "string", @@ -2583,7 +2586,7 @@ "kind": "AmazonWebServicesS3", "properties": { "connectorDefinitionName": "carbonBlackAWSS3", - "dataType": { + "dataTypes": { "logs": { "state": "enabled" } @@ -2625,7 +2628,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VMware Carbon Black Cloud data connector with template version 3.0.3", + "description": "VMware Carbon Black Cloud data connector with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -3038,7 +3041,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CriticalThreatDetected_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "CriticalThreatDetected_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -3066,10 +3069,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackNotifications_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" } ], "tactics": [ @@ -3080,22 +3083,22 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -3151,7 +3154,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "KnownMalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "KnownMalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -3179,10 +3182,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" } ], "tactics": [ @@ -3193,31 +3196,31 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -3273,7 +3276,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VMwareCarbonBlack Workbook with template version 3.0.3", + "description": "VMwareCarbonBlack Workbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -3369,7 +3372,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CarbonBlackConnector Playbook with template version 3.0.3", + "description": "CarbonBlackConnector Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -5003,7 +5006,7 @@ ], "metadata": { "comments": "This connector used to perform different actions on alerts , device and threats using CarbonBlack cloud endpoint API.", - "lastUpdateTime": "2024-10-15T19:22:24.265Z", + "lastUpdateTime": "2024-11-19T15:06:50.446Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -5035,7 +5038,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EndpointTakeActionFromTeams-CarbonBlack Playbook with template version 3.0.3", + "description": "EndpointTakeActionFromTeams-CarbonBlack Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -6838,7 +6841,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IsolateEndpoint-CarbonBlack Playbook with template version 3.0.3", + "description": "IsolateEndpoint-CarbonBlack Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -7581,7 +7584,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EndpointEnrichment-CarbonBlack Playbook with template version 3.0.3", + "description": "EndpointEnrichment-CarbonBlack Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -8005,7 +8008,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.3", + "version": "3.0.4", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "VMware Carbon Black Cloud", diff --git a/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md b/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md index b4bc33b9dd6..c21d2f75395 100644 --- a/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md +++ b/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-----------------------------------------------------------| +| 3.0.4 | 19-11-2024 | Modified TransformKQL queries of CCP **Data Connector** | | 3.0.3 | 28-10-2024 | Added Sample Queries to the CCP **Data Connector** template | | 3.0.2 | 15-10-2024 | Added new CCP **Data Connector** to the Solution | | 3.0.1 | 17-04-2024 | Added Azure Deploy button for government portal deployments in **Data connectors** |