From ba1c4d47a019ed1bb25ab172c71823269ec10a69 Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Mon, 28 Aug 2023 18:53:25 +0530
Subject: [PATCH 1/5] Repackaging  -  OSSEC (MMA to AMA Migration)

---
 .../Data Connectors/Connector_CEF_OSSEC.json  |   2 +-
 .../Data Connectors/template_OSSECAMA.json    | 108 +++++
 .../Data/Solution_OssectemplateSpec.json      |   7 +-
 Solutions/OSSEC/Package/3.0.0.zip             | Bin 0 -> 9131 bytes
 .../OSSEC/Package/createUiDefinition.json     |  13 +-
 Solutions/OSSEC/Package/mainTemplate.json     | 454 +++++++++++++++---
 Solutions/OSSEC/ReleaseNotes.md               |   5 +
 7 files changed, 521 insertions(+), 68 deletions(-)
 create mode 100644 Solutions/OSSEC/Data Connectors/template_OSSECAMA.json
 create mode 100644 Solutions/OSSEC/Package/3.0.0.zip
 create mode 100644 Solutions/OSSEC/ReleaseNotes.md

diff --git a/Solutions/OSSEC/Data Connectors/Connector_CEF_OSSEC.json b/Solutions/OSSEC/Data Connectors/Connector_CEF_OSSEC.json
index 8bc240475f4..7c10faa9b27 100644
--- a/Solutions/OSSEC/Data Connectors/Connector_CEF_OSSEC.json	
+++ b/Solutions/OSSEC/Data Connectors/Connector_CEF_OSSEC.json	
@@ -1,6 +1,6 @@
 {
     "id": "OSSEC",
-    "title": "OSSEC",
+    "title": "[Deprecated] OSSEC via Legacy Agent",
     "publisher": "OSSEC",
     "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.",
     "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
diff --git a/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json b/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json
new file mode 100644
index 00000000000..d58e574247a
--- /dev/null
+++ b/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json	
@@ -0,0 +1,108 @@
+{
+    "id": "OSSECAma",
+    "title": "[Recommended] OSSEC via AMA",
+    "publisher": "OSSEC",
+    "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.",
+    "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "OSSEC",
+            "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description" : "Top 10 Rules", 
+            "query": "OSSECEvent\n | summarize count() by RuleName\n | top 10 by count_"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "CommonSecurityLog (OSSEC)",
+            "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": false
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "read": true,
+                    "write": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "action": true
+                }
+            }
+        ]
+    },
+    "instructionSteps": [
+        {
+            "title": "", 
+            "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OSSEC/Parsers/OSSECEvent.txt), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
+            "instructions": [
+			       {
+                    "parameters": {
+                        "title": "1. Kindly follow the steps to configure the data connector",
+                        "instructionSteps": [
+                            {
+                                "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+                                "instructions": [
+                                ]
+                            },
+                            {
+                                "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+                                "description": "[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog.",
+                                "instructions": [
+                                ]
+                            },
+							{
+								"title": "Step C. Validate connection",
+								"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+								"instructions": [
+									{
+										"parameters": {
+										"label": "Run the following command to validate your connectivity:",
+										"value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+										},
+										"type": "CopyableLabel"
+									}
+								]
+							}							
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]    
+        },
+
+       {
+            "title": "4. Secure your machine ",
+            "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json b/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json
index 6cfe7c6faea..6d5d1546704 100644
--- a/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json
+++ b/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json
@@ -2,16 +2,17 @@
   "Name": "OSSEC",
   "Author": "Microsoft - support@microsoft.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.",
+  "Description": "The OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\r\n1. **OSSEC via AMA** -This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **OSSEC via Legacy Agent** - This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n<P style=\"color:red\">**NOTE:** Microsoft recommends Installation of OSSEC via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31.2024,** and thus should only be installed where AMA is not supported.Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
   "Data Connectors": [
-    "Data Connectors/Connector_CEF_OSSEC.json"
+    "Data Connectors/Connector_CEF_OSSEC.json",
+	 "Data Connectors/template_OSSECAMA.json"
   ],
   "Parsers": [
     "Parsers/OSSECEvent.txt"
   ],
 
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\OSSEC",
-  "Version": "2.0.1",
+  "Version": "3.0.0",
   "Metadata": "SolutionMetadata.json",
  "TemplateSpec": true,
   "Is1PConnector": false
diff --git a/Solutions/OSSEC/Package/3.0.0.zip b/Solutions/OSSEC/Package/3.0.0.zip
new file mode 100644
index 0000000000000000000000000000000000000000..b8a503f9af18931290aa8992764e13c18a881431
GIT binary patch
literal 9131
zcmZ{qWl$Wz(ykYG*WeP|3Bf(M+u{z3TYvzIgdoA)9fG^NySoHmU~wl%aJV_=R^7Tk
zzHeq~dZwzoe|9}HZ>uT7!Q%q}0AxU0GMUaC|DD}65&!@t0s#IkfQ2i_%pC-@l>%AW
zI@!A0Iy<r3xj8!x>7F~$wh+9U<Xwt0BCvj#AN4T!$l1=cxG7E2JI(%Eg)jhwzli>M
zAmdY39GPtwDV$%5sD5tYVZsg5Sj;*-Q?0$h-u|m_=e=6)_h-^!nVyEP^sb_U)&-Mo
z^EoqzW_07=KF#>Ze(4trkQDxDC#2yf@rXw-Gg-!=aAn$rq%Zs7@2QSC8`^Opd;Wxi
zz@rhx>*fixVQz7K+$)~ZZ1i_gRCKfVdH&Dk%>^|y=ioXuseU+%JC8ApnV&(}A4TVI
z2`!8&L2GQL@@x0kw0tOp%Z7Sfj-J{Z<12rE)}<knlIpduUFTZnaN9$PCU}KHoC~zt
zEA@fe#JcWD)Z@{yA78SJ%+v`br{Y=p1$t)7n$0eqr;IK6j$H?vxxaou_kA0=h7+}t
zEKau<^KWBK8T#{wZ!P?0*W#}>iW9;ob2fChj5ej(CT#_0P<(x|u03rUYvr!O9O}72
z6*KBl78`~E;hD+%1B1_@o4|?{-=);7%JA8FYdF8uvsc(O^4uU8$kK4br=wG2GHsu1
zY>~u}I30AV)Vq|mHDK@IrgP-jSJ(vH;_iV%Ki~MBLZVugirJ5+jk?QkDm$kkSqO?I
z($u~<WZ6>Hl#&nmGAXnPD&+B|g+a+JNlW#mOLo66L@o*bb~c=QBn)wCiEq{(RHxqX
z?H@$!Hjvwuiv<6s0emYZM~l$S-;JmyV|b1&`x*Ds3BK<d8~JVW6(?elHF6=0oDwOT
zbZiys3UfAD&BTY|nFZ7QGmISHQZjkZgd7{hm8B_I_1e9hYzE*oz&G3!G9>wHoGD~*
zty??J%gOSCAr{@EYz{upCw_j(lqfKh#%o-s-Bm<W44kovt<)~XI8U(ecu%GFbg>v{
zX*|LkIpjU;Ci+Xuy^If5Hg0FIc{n~vCn+gaStBO)lqUyc!HZghVhd@6G50K0xfJyv
zByi)f(FxVL+C)>6pLlZ_W|M+Isb&>`VN|J(2PA@d(ieY$nQ+J);~$W&QVh3o@xu!^
zAS(!9aQGIR#8#g4N+I&RcZQ|;5Za98mki=vNLEN=PwKh5Ll`Wpaz@-E<{?_+GDt4s
zRU`I0z4;o>rtyU)Y$X4_z;o~eb4;Y(wpeE|enTO1a@3a<cS&ED5Wb;a{mSDtZytKs
z=r5}!b951UAWtqt!ztHvl3;Y-pLXb6mSvpQnjd%B_=xe}ZkXgDXPcp~!?nw>U9ZD0
z!LOr#n;NU`j|Uv_q>0j_in~^=D}eqFcf&NizW}AtL+i7+uPa^0inVWQ{z1iOil!U}
zgj~*S_f?`EaV&r|`d``3nH^?_APc`~iH{o{3gIP<7+RH$-98G$HmP-~h89_C>Lyps
z&sVdm>GLqQKF6@1cNU2~_`(pzKH}sUy#VQh&t=Av91#=|o(e4N3vOoN0k#lGA1?vi
zB?Y2HH1GU)GA_n0c<`<`&*Xzqvd^1aK7Ngu+*WVxsnU|p;)~w<9ODH)5G`7?joHPX
z$!XB5&PE6V2)gLT|MGpMUr;~IS6yL))4Gu)XI|e(F~WS$;98&AJY+FS@QNyX;}<y<
zz1>XGhUYiTG*#FJDi$v9X>q<Ma~e`nuSD-0yI}?VvWelKk1-55(){T;N=~u^TJL~j
zC}zONg+V1*ldf(G8oZa^APCJF9L4V2elT^qQml8&P8-qDOlML<hF*`jk7#<fFPD&j
zNZ>$d`Fgv1X~eoU;T0V{ZrB)0!GunpBb@D!j%56U8BY=_OS-na7mwlN6X!GqS65IV
zJRx3wvOyWXrk1A|cx^#MYULdpm+%Wh!^XwZq6t~N?+Agy1zOsTD;YolbJ@a|rxPHX
zX!8ZCsXd{*63JmpfmhXJQNocox9C&)VmY4C6!efOZpxZH+Le<qJku&OH&+50eROs2
zCL>q=5dNsC>Cs50oJxB+wzC;ZTiU(Z$7E(e5`T6d_I<cLWs#^nz+>GVtCMOx*MVXY
zXi#mARbXq4j}@#P!2s14yqro*U=*3E>XL6+pT+X=5Om9<@VPmdd;W@X++&KraZWx5
zO3Uym2wsejM!Y)jD5BR67&^bw^!|LNp?NFch~X_24AzPzV>wSEu8_m%^1ix_y`<s<
zU4jB4K@xnL8{}?SBv65lEgt<2p(xH;7TsGn3}wx!EO_f1i}gqxzTK6r+0)4sWHl*=
zI>bRrpB@!GudM~zzE2&2aGC+Vm+;{~+I7C_j|CHP{ZS@7l1pWJkM8HJz<P}xn0x9R
z&wYJL?(ufo_v@nl+f^;>NZ*V@h3(sh`&GJ${@_xT7WCFsud3d``{d7TaO<}0cwkWU
zm|Veti60wU?b!dLzm$p9Xj*N_1^maR9L@bI6G1p%X*&4@x$SCSTxzTJjAMBppo1F|
zL2Pd!b#JG%=N(=0f#Q1-;52o#@~~vH*aWR$bUu@l%f03gX10LH07nQCDuw1sW8fjD
zHCL#*j=`?utayDnGMgkJ*O9V>yW^Kv=5yn3$`hu%G5{Gnv0g0Sf$N4K_=j$x=b{}6
z8BE99&<zM&tw+LzN)JUxNEe}{-{SLlYPY&Kq=mT<{M!ZseBm@Crtf&3?Jo8}0pv4Q
zP?w$998}(~kZe{K)j7SGxUx{$yog;@F!5s<Yfqu5#*y5tPhVr=+*p=}n~4|71dV23
z?FPung5?i>G==m%XF-wPUP;ydA11)3km-10X0dmW007b3007QEOmH-_b<zSkx;XrU
zh5rJ=xsi|CI&bs4zx7`s)5h$k<hcRugw55BL8E0`ebt-xy7lR7{=|8F*00L(%o1x~
zGtaDh4!0#>KlX+?FeuPKgp48wcel4YU9RA+4^7@B<t|ANW{&$$MX0*K8SJY;e{?%P
zuyu}R&LKq4$KT7Q%*Io4?D6sDoSnVdx4JpEHVEa+gNRMc+AP|2LyQ$<-_5?>wm^P(
zZjY#=ZhilSf(Au?UL`-@ejmF;%kb9ZkVbtQB)S@(m<MN>&RGZK4zh|Wj>XkFv_&P}
zZlT>_qTohfIT6ai4(Q8%O)HxHAWtW;$Eq?KSx|6^<*oY?bOb)8qqxNkw)G3GyDSP+
zdqg!Z)=`YWXy8G~Pd~v6$I36^$tZGrXgBE0ng7IrwqVl9xqD~KkTj$RU7$?hH*mU_
zEl=h1HXx80ZBEODSCrSh1ZO2g%^m;9vSJEn%${eGx2V4*rZui7E<P5B$}HMzDXCA~
znG>GwKgKS{>?s(a?6N!=Q9EzJq3+SZm0~S|;2Y2#XC-X0@9t%>iR5Aur1!*6fVXGl
zdq<P#`w-m0DT8RnFUO)|EVuZZl!KI%i)UJy4kKIKv_cK1pTj8KTf6Qerdy>3rAArI
z6yz2+IJx1e3m6F)x%fq;SvxVyV*MR4P|H>!8e1(-uY6M$d?ALPxLX>VNUm$j#c*MM
z8Q$g&f2yYh?*K_2&<_&mlkm&G!F%IL@eCe=c&1X4f7vLw?a&2yl4uxN_tL;qm$Yh2
zZyoF#A67Xy|4B7?<&)<6{Anh@mz52_<yx<S(G$%FmQE{Rfa&{gbL1E`sv@tJSZMhX
zr&ZL`lBg7(VA~K;_5mw@SV4oS2mfZ1n&DG9Uy0xR`hZ>t77nse78x>{opVQVAtbgS
ztwD7O-Vcc`eyXN0g-oR-5js<47$L)v!m~5J{WDa}f>(8wpUAKIGgUiuk5b$XQObTl
z>`4!|PzQ{M2waKcWnA8F6I>Hm9Lx~RVZ8TfEEF9-sCF_XD<E}<wnuFFY*Q|h^)yf=
zL5R>}t+f(#?ty;PAw#_sg4bhz6up{pyUvm5mGRgnC-1F!nMD$OWXILo6O`nP(OmpS
z_#PAnLlzD*%A2(WUK$Z(%TLyZBYJHs*1_l=%#%c8Xp1=iqGma_9c~cBFhz1^(_QS+
zfZNdlRQ8Qg5H15ky?-zMDXbh!{04-|qtWHK1I;ZO?aK!fQxpuXuxoSYKJrZ(PIUMD
zphtrwMewM0NYrTiRIJt2$5k-?P6K0WQmS(V>;t1SJ_vt}zxiEQqEWC19h^{wuBXUn
z>m&DL@~k_hJGJn!=<tEe9}@i8KTWY3?`Nwh|J((E42CS&6O)sbqe{y`z;Tun&~^Rb
zQD?>VgElb*nhr&d{-O?&E|a2z$^Oyawu^(SbYjiBsc_9uS_R9(?~G0*Xe5Ae%z<^a
zh$oUMM6v?HJ*&-;m_23`uLu*JM+DQg7$M_|v*+$XFtzkCk@ztRVqd|G840X3#z`6D
z$*3n%?<0JBTad+5z!Z7k$eeTK|D_nz%<Qijg<gz|tO)0a!4m4gTG-Y^HR=FmaY~$^
z$|eFAp>ahH>i)QHHU*NFm2q`Yx8%A{2wk&`@s*Gfti2a6%5f?3$6+0ebP7!HMOu{|
zs@{~aA1ON(K#qAvh(cNxkxLo(FI*0*flN2d%e9zRat^jWz@aHpek>ZNeE&QgW!U$_
zFNz;hnfDM}``-1~-Ol#&EY;+bkHA<g;hn}Lg}>4sM)3JDX!95NX!I1>VPl1hKF##d
zJbz+KVEJ4(sWR|m$~M8isvxg;d!}>Gm&Bx<z(|E)S6*eyz`H~OIX~os)RkVEso&IT
z*Qz$NFBmKU1sAGIEqu*YL+2q*3SnMySP$#Wx8~{lYpe)sF7_pwFx^bHK`rbKtl^Bq
zkk<KAjHq*Xl*`6h5F=QsJHN+TqQ7dwlOihd=9HL5MWOct0~Nwx5bw|ZP)T^!Oj#)x
zaTO7n66lob2e|TFOB~hk@nB}(TVlcxJL@dlaoi5%Ogf0`TTlLO`A@Z2;M!H6JL726
zI4;FV8Bv5hJX3yJVe|dOX$bzF?HUzF=f@b*@Xm3xNa>$l{YdMle1HFZ!eZs?LWEOz
zJK;A@*d)JZMk^c2+iUt>gL&|g<`QLs5KRptCcd`Is?hShcN@VMLUur>F$dFmKnH;U
zuw1%h`XZ`%zVCBmLWgK#l0NlX-t$r#^r!%YQ=r$k$w>qg_^GX~WUP!}DMCnx<4a;D
zkVpG9@u+LE42d;@i&w73EB+0GQ;wu?8&<{xFaT%vN83E*8W^h7PX5`7FP44pAh>|T
zczCS3q}MbJb;yL_uy^_msg#<;NUhn>C)TUM>-l1OaY)m2`!4<5$V-9|qibUB7c?+@
z+6C8xyz>;{tO%WiBJLB1<)ZdQP&Ts5XygwwGN{XVXHrC!@pxFiQ%05~H4OmR^No0y
z@I&Iu2u#rI?Fq3q`igI0N0c!ST`J><6wBzQ3Qgz2;tspkO@i@ibN$<6v5q6?U}OSw
zh(MZSeNxVN<V#Be{f8=B5>!|EMrMH`>Z!<fMSX;9e-~c=g+MMVx3sZi)!P$&?tDc=
zc#?c|SInyGUL=diPE}3!(NkJxkGg16R0EW<R4E#pYn5HrrHtN`NG~+n%J{k<fdfUZ
zKU>sZ835=27kfMBUlJeUbW9HFwHS`oE$9Ni_V)oAIjrI@agWrub0+fjr0I`1!D~05
zsJe3aH8EYb<^g6J1?n+=a#<#$>OEM+Kl6}mp&1i0|M%@_a#vwlo1iv897<e@1m{b%
zTMQScUkkpI5}Y!R)aV{R{So`a`lluOd>*QPzLrZQ_~MRRCqpA+Qy3YQFU|@`gII9y
z!X?RHX(zp!1#}oWf?FloJFeV_gJ`tN0_OAUmWi+M6+WTOgFVKRLAfkw@0V)opF}Zs
z7yiIz2`UdWCyoqvcGSrkj++Q45f@#~zX2X6+oa4ie$d#+am9?(!of<HQTbCe;1BdU
z>XJ#Mvs^{Ha%x@;i2BD4T<5dke)%b7MJ4|OEqj|40PAWT+}n=NItP0oeJDQ6&4F%)
za+E!wVe4t#>XXYF$f(HFqFG8ultyqp9al+a8kmoE*GflXJ;6k8Zy5jUi<`m3?XRQA
z*rmfr=QPBC1sKUK9H+`ST`^3Yc^ZB?Set&ZYR(k`-Kyxrn|v;r5!W`Np4u?y^6)wW
zuaP%OY79bMjiYLQqD`!DtOS3Zr%lYdr4}b<r35Zs%&6HO_YcYv&Z#{2Jeq)vTQz3&
z1|Zxn00$JL*INP^-%k(QoMT7-*?_c9{t<=&=<2fb=tgXj9bKiOsA(T4OUQOGDPfty
zfQz&J5n=?>GOvg#^Fx&)@ia$r+a-b3vB+jmE3})4dck5<j?65>9){!_&d0C8Id0;u
zn6z_}7B8IB#glaH53RJ(n4P)Ubc6h+aguZua&m=Z*9xD0wHRF;rMsL+@Zg0PXK@^`
z0-Km~#gI8+Yn|e0aI%n3lw75;aX?4P)k<pNp5~dJba(ym>4tIsTyKKT7=i~zn_FG7
zF<8b5<QwGi)~3~_W+`$^LF{829eI2EK*87o-%>lq4_|m)7O-9iQy<Xgk~xEsESXNw
zK~Mt^?ho<rLE1#yxY7$$7d9wUYEGG;g;tY`8eT?ja{nNYT}>9ygRXjR6T!4Nf<FfT
zV8bsrJ?hv2OnYuMndnq`K*a$I@||6hqR8K-ipN`10!4wv3n1a@p~gpUH0K?*)T6cW
z{=a!s*w;!DSS4wO(>4kr9AT<6ka2b!Zhd1M0=AEkeK{#~y*lR;ObW{l(>#<F;!(0x
zpNHoy0T>Mhme=>Tn}C<L=U?$--#nCr!Gil##>Qsd&rH@{exI#<qhe|O0%99-4Dj89
zn4{C&_i13&w3QsVHZ(Y|pHPSd@tH&3$Y0!y^bKB+Eb;OyxhiK<^aQQ4j($CS&M1kj
z<;W)j1xv?`P-)1n{x!|-V~2JJl<HX+p%Ml>deb;I2;uhUVR!sq^)iTJd603x3Ed1T
zMj)0zB`vo`qReCauC7Pw;xWY(eAcH&u{jQGP^u;%?8%T%eook!rYtsXlzw1Yo=waa
z226|V{WJhdQ9EUX&bitaZ5ZvW*Dej<0@bq)k}%}VxlD%Q2>85ovI4L~LzZ{_3`Y)^
zLh2nijr_!yhNix`ehu-d;MmwJ)AueTiFbBY;T<Uy*320E;G{LZ%is0+Q0t`dBzIgZ
zFSZ<H-{pLAmRh}Ua1k@gVdsik)x%a%YTI}L)5z%?Nl-yObH5ubgaGn{S{_LEQJPN}
zvb04F^!5nu*u6g4#?x=GWF>oEL=!qpV$e!^&JI^?km9KKHS%Qh{w(KU*;n8gcc`wt
z7cBkx0<QpiAm>yDCzA&Hj;_(K;hUMZj<igrn8mgKX~xCo<CSnGiI2uc$;*&I#k?Qu
zQ>U*kBv@R738NP9E%inn-c0DC{wd8>JgR>U6;z{J4KZz*xZEEs6)uF!$t!HYRLiGt
z?x(y-i<6FYbU!?#ICp0Wyk7Oh28meR@rqe5B@lyCDnveG3)8C&RG8Uz1eq5p<ax_y
znuSWZ$LzaGWgitZCR>nxPn2Hrw<FZECe?+Bk$EYTY1aCHL{bx><!4b*_4j8b@J~U3
zaY5Y4w?Zi8pY5%0vnm{I_2Ft5FN>Dc-kNSEm9&ORcNY1n*|#Z*I-||Ko9&-xmuAb#
zi*}3JTp^VPm)q0JYtbEMlXuE`0Rt71+?!#$92_34-4ZrY1cDVY#>*6>JcIDx>csDf
zd#^}6a<}$Q*Pp!#K831YLMMbCujscnH?0r5S8NfTM@gD+4Zn=7?~c@1lq-`jtr@QJ
zFKrKQhD_*uY<1aL?)}CGZR=qs^Mq4sZ|^jLA>2d{bwUZ^{jxt_2v#X|{)WvW?jwd$
z*y7aNol;gAaM6y(Go`jE7<NG-?zYuvtqn)qJzl7?eZLOZwH#eWp>h_2vpf(wwd5^g
z*h-+ZlCh`{^Qs5xkcVLO2j~RCv`8s<NXYT_`(>JSD_=qEJo4u!m6c85d|PbUdze?8
zbXqSQkxk%OTbOD<x`zos+mLl${XL9M54aj5JTJ$aoRwwt0>|K)wW=A6UQiErTBT!d
zQG5#@T<B)6sWTq7yAS6|iWgM{{>}mk(jp1mA_Zg(^S3?{t{n<?JA2ffVn9v%FNthZ
z2^L!Qa!oKfv7L2ESB}d<W@x&H)g+?IQ&XS3K`VyO_S~>hqbmWMX+HbJ*8E8g0PQt!
zJI}*lYi-)IezVFnC%bCidqAM0pa1l_m%K(sKa|u5)jPw}u%<5a*gr$)n*IRuXxyMA
zQ|P+VpxWe#9GqA_p7FgQN$K_FVl;Dwx{sU_6P#?Xi$wIB+WEiSt6L&;U9OS5%u<VA
zQ#$khE3pivc*Vc@vUDxDXcX<ca$1D%to^p_d9YuI=Pr=Yr`3;L96$DvzK>&;d2*`Y
zJ%J5!MTk#z*;X<5n!xDi<9+wrz-tfZz_DKXmY2Wa5;i3;hpbd;I+jaOU>scAw8Y^(
zYf7T8$oCay{UD|LTW66o`A-ZV#+(#>+6D!d$$0Pf$-Hi1;}LuKWp~kzg5pt(-r_}z
zu{P)e2*Srl(u^u-?}_Au)UU<U1DnKDvw;arAiDg)K6m2a#N*Hz><kxO&s9V!#awfb
z6YT9)V75CCf@@n7uWlEw-heT^u}bnjNp7Ax&@$HD0uK)qagH~bQzl(v>hMu0{VZz`
z?2P@(Y$%N3zN<MKQ<d<FBfweeen~N5s5bKTN>s6U@7xVJoDy9if@Vu8*#*^!GcGqw
z0<YtVjC~LS%|W|*Zu7*MRC98n%}l8iw&W+fNH=(gE?F!Xeg!i4>UakFaJG3kf95u=
zaClPFY)wYdfNUFWGi?nKJ`efgi07wW(ZOACi->vwM~AgSpO`%1%xXF2jq`Fw^I-(k
zN}G_;DVuAjLO(83@~aq@-9JLK%K3fM%(vv@R~D$*@}l}^4B|HD_Hx1W<WB?ggxIK#
zkrkZA!aO!R*I>L!Ujh6J6U)^e<u1*?a=x;<$watj9yTBO2GAhN4RpjBmH<q02j@7~
zm#j-_Zmc=<`e6SdgndX@DTZ-V6$@<$S$EjHb*k-^;HQb{Uj&pT&10lZd1XI@F0@oV
z&)=LtT5_~pz$#<3FeTbmWdtV+63jE7jc5@dxHHEla|XfT2B(&n53Q*V`JX6K;-xRg
zDw=Jc2W=CPQ@;C}#{?w1B6N5>4|EKUCtLnz1M6%jPm1a1{oA48VZkA7aDk*)(=Ur<
z9{RNqBeLXI^xD(i7uNZKqR|JW?UQ<|A1Vok0%}Mfs#3>KqeaKdF2W==X2!80^O06+
z%b%O?dj====uMtMu9$ns$KSc4(6HuwC6tWo2c)^CA-t($O&vBeBHHHvPI~{Xvg-%j
zZ3N1}c6t9o&Ru}zuLK<N6>;l#xNQn>Mi^P;-lVz^jvZWqj%VXzT!El1l6nu|B$UWE
z+>p+ywVT=|3g<sH)6*?{;{dmf_jhUXwiA22y<51U5R!5R%!~=aESQ`l)<Cw@By_-V
zG+NaydQ*`5!otk>)M{|~dNCK8)Acz!RW-=SZ{a(HSLe;v<lp94{i3P*IaJH`pqSpp
zZQsPl&|XLQ)Dd~>V7v$8%{@rWF;vVkV4#*ok2Gq?5vpiVYW|1+XyDKSD#!OQhw=Tk
zVkov<w9-T6n0EV%7>D7JV||Ozg<H`5#<s{$s(%mUAx+x&hsFqjMkpoB%p(DmKl3V+
zWt-Q&Hbo_CAA^kjEMlP2U2l3fx!u+fwVJQHo~62;eSi6nM((#(x8l4KFv~5;demFh
z<^{c%TKDg%P6g+?smZA(CuyiSYq^x<PGtLva#-AME=nc;o<{ZAfwTL<p?aKl@=>R@
zv=9BjCi!;M)a*B)2_nwC7Hdk?I&*~`5F$>Cm_gwa27k0!XQik(+9jz`RrFOrAaY1_
z7H7-3zQhjr@B0<sCsg_TAXAY+{o6AK)7vAb1)K{eqTV^+n%fmE&a;3QC7OB392YGu
zHL)ifp(xAdJfc;XqlUL9Z?-!Mt75BRh>2}<*N7~b!Xh*_y8gw;g%BBKTPUM;(L!`{
z*c>E!g2fZ(^}YS|vdVGGW>4fr^?mN|7|N-Che-R4qrcD9)bl&|U72!nYZGR5=Joh~
zT=)}b!Dm%Gx_#x9#2ir@CUu4`7=h#L+ox|;cNh@i?koQ!y``*paS>v4?d%>})V~C@
zIkK%%T0K#&vf=)%gNS*P@h*}a69|o%(l|}AhU^awJOW^eyL^SUPk)@*#N{7T)%WDF
z=Tj;8BV=D@6!0FdWn-se4<Oa7L1NL|9R0RsX@6ysw1k$1>6=A~;EZZmDS4*q{O7ca
z7~`Drb+%kFxVAFaOusJ__DKeb?hKXq4ztvpE8E`K9e>H}f<|VD-Z<JymIKdBf}<!+
zecSmJ{!kLG?kg4#YbYboS7oI05VWqBr*|kLTr}Ao7;6SRS7o$qX>C(hWju!J^;${W
zi|i|kh@R+05@N4&Zv^<ObftfCgsy#4|C2ybBS?5I{U&*{-<+Sa?*S_7sy>9$w^}`=
z9YO~c@(|TI0(F*qMsgDObuIR{PGO<0fB2RTNQ0E%czVW3rqPo&Sp+S@t<Vc^1O(Kd
zd+#_(4%rwvtJ5kFm(J=L6Ou_|2ARSugie27uNYeEc6#&5LNiS7z(rH>`~}VWy4A1o
zt%&w&qG&pw5zkZRr>r6H)cfWH-mKvHl+OmFEWpEqg!C8(xkz-Smc{9DTLMponG6|Q
zp~E}d#OC7!<qXS2`qe^tUR&JVb9&`^`NYK(JLcMH+XTX699jLr3`{0AjI}~Bk_8I=
z)@-D8J|fPgA}+x~4(-^`-z-~m7bk$KXs7jN`_!S<Veg^rCYv6>EQ=%NvHwo!ZH-x`
z0)K=c-acY+r9*z!N#z*$GoBhlD>*J|GeVv^m6*7R;DMG1&L^s9^Fp6;$^`_XlF*5+
zP*!EAP4fu#8P>=(5m=7MXT(<`Y-LGPfx_D|XSP9>p$oS)QXV(ypzemTI|_D~dtAla
z=Y<GIj54N6M9Ld#%Ms40_{SvyO1sh-=Z#L?Yz<}nj;a(4nHgO5#w-ktC<wKny4>+<
z^Th4Lz9NeZ=Bcn?niyV(E#KwpTM`#^PFzr$`_|GXm{$gj`K_&-d3f$6`#TbTPka~q
zofOe$t@6V%2Yv%zWA<alf=jqX99b_4_L4wYT5L4jr4q6GcT*L(XJ|Td3@P2rpak4k
z8%rr3{5)|%BBRg0o3Ez*{z{;1>SAKy6n$~tfw5P&iBF}?Pt%&z{mv7#e+$Un8^atc
z$%>4)v@iu@?B>p=ADV=7*?ck;@$huh#EvkY3Vf-R2tVT@%7pUdC4UHAV`3j<Brylp
zS`{K1L@`=ujIk!+Tf_h4>^)Ku2*LF}$h%x%aXp;=&P(g*DQmiQiSa`;CN;-8surB}
z^V)0Pw)*vDk2-_yV-%&fe7L)*yWms$&Ebcf(g3SkWXTOK*}U1p-<qtxD=&=bR_=>?
zR~7+YHOQ%lOoOu$qbFDgvo>jU^<ja!m_&W(sn4%CJA{hz@l0T)hMq(T_HG)~1+j~R
z;u+gy0gMRv*@y@$?I~hD@ypE+hz)nkU(*4Hsl!96I-o@Ll;UqE8lK_~0-XIow(HHR
zil=@bF?7OD{kSF;6LzECvx#Zp&dzQ~{p?l@BCa2l76ja{W}YWJuiR9)9LD`Go6s*d
z4akRai;R+$_ujy=7gjF}y{FwEmTsaOuk42AmiL#hWfmro{dxO<0>{ov<rFu?+Sl*w
zNPy)!s?Te+j!NMrA4FUY2I{t4*FpS=r|2UHa=Ie+RHrQ}*h!4b{_P$)Gl9WH97Fj>
zb%4f+#iiGsiykF|62df4e6mcLSJ4;kMW;;VFU4Hu$84NsIpcbN@~~zw@LU*}2u6sE
zb~XG7;X2EF^=>5KA#KE-s#&-MM~^*k2ygH2Flvf0u=s%gy(Q+K+y#IEQ2odJ8~;m#
n%>SR{e-h086Z(IXFd+XA@|l_<0^)yMVE@hFe-?-KKezt_N6LBA

literal 0
HcmV?d00001

diff --git a/Solutions/OSSEC/Package/createUiDefinition.json b/Solutions/OSSEC/Package/createUiDefinition.json
index 4b144e2466c..c325a865af2 100644
--- a/Solutions/OSSEC/Package/createUiDefinition.json
+++ b/Solutions/OSSEC/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-       "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\r\n  \r\n  **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n  a. [Agent-based log collection (CEF)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\r\n\n\r\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OSSEC/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\r\n1. **OSSEC via AMA** -This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **OSSEC via Legacy Agent** - This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends Installation of OSSEC via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31.2024,** and thus should only be installed where AMA is not supported.Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate). \n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,14 +60,21 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This solution installs the data connector for ingesting OSSEC by performing log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting, and active response. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This solution installs the data connector for ingesting OSSEC by performing log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting, and active response. After installing the solution, configure and enable this data connector by following guidance in Manage solution view"
+            }
+          },
+          {
+            "name": "dataconnectors2-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for OSSEC. You can get OSSEC CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
             "name": "dataconnectors-parser-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the OSSECEvent Kusto Function alias."
+              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
             }
           },
           {
diff --git a/Solutions/OSSEC/Package/mainTemplate.json b/Solutions/OSSEC/Package/mainTemplate.json
index c0a76c876c3..de463cfc38f 100644
--- a/Solutions/OSSEC/Package/mainTemplate.json
+++ b/Solutions/OSSEC/Package/mainTemplate.json
@@ -30,57 +30,52 @@
     }
   },
   "variables": {
-    "solutionId": "azuresentinel.azure-sentinel-solution-ossec",
-    "_solutionId": "[variables('solutionId')]",
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
-    "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+    "_solutionName": "OSSEC",
+    "_solutionVersion": "3.0.0",
+    "solutionId": "azuresentinel.azure-sentinel-solution-ossec",
+    "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "OSSEC",
     "_uiConfigId1": "[variables('uiConfigId1')]",
     "dataConnectorContentId1": "OSSEC",
     "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
     "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
     "_dataConnectorId1": "[variables('dataConnectorId1')]",
-    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
     "dataConnectorVersion1": "1.0.0",
-    "parserVersion1": "1.0.0",
-    "parserContentId1": "OSSECEvent-Parser",
-    "_parserContentId1": "[variables('parserContentId1')]",
+    "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+    "uiConfigId2": "OSSECAma",
+    "_uiConfigId2": "[variables('uiConfigId2')]",
+    "dataConnectorContentId2": "OSSECAma",
+    "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
+    "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+    "_dataConnectorId2": "[variables('dataConnectorId2')]",
+    "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
+    "dataConnectorVersion2": "1.0.0",
+    "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
     "parserName1": "OSSECEvent",
     "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
     "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
     "_parserId1": "[variables('parserId1')]",
-    "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
+    "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+    "parserVersion1": "1.0.0",
+    "parserContentId1": "OSSECEvent-Parser",
+    "_parserContentId1": "[variables('parserContentId1')]",
+    "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+    "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
   "resources": [
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
       "name": "[variables('dataConnectorTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "DataConnector"
-      },
-      "properties": {
-        "description": "OSSEC data connector with template",
-        "displayName": "OSSEC template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "DataConnector"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "OSSEC data connector with template version 2.0.1",
+        "description": "OSSEC data connector with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -96,7 +91,7 @@
               "properties": {
                 "connectorUiConfig": {
                   "id": "[variables('_uiConfigId1')]",
-                  "title": "OSSEC",
+                  "title": "[Deprecated] OSSEC via Legacy Agent",
                   "publisher": "OSSEC",
                   "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.",
                   "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
@@ -216,7 +211,7 @@
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
+              "apiVersion": "2023-04-01-preview",
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
               "properties": {
                 "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -241,12 +236,23 @@
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId1')]",
+        "contentKind": "DataConnector",
+        "displayName": "[Deprecated] OSSEC via Legacy Agent",
+        "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+        "id": "[variables('_dataConnectorcontentProductId1')]",
+        "version": "[variables('dataConnectorVersion1')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2022-01-01-preview",
+      "apiVersion": "2023-04-01-preview",
       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
       "dependsOn": [
         "[variables('_dataConnectorId1')]"
@@ -282,7 +288,7 @@
       "kind": "GenericUI",
       "properties": {
         "connectorUiConfig": {
-          "title": "OSSEC",
+          "title": "[Deprecated] OSSEC via Legacy Agent",
           "publisher": "OSSEC",
           "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.",
           "graphQueries": [
@@ -402,33 +408,328 @@
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2021-05-01",
-      "name": "[variables('parserTemplateSpecName1')]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('dataConnectorTemplateSpecName2')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "OSSEC data connector with template version 3.0.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('dataConnectorVersion2')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+              "location": "[parameters('workspace-location')]",
+              "kind": "GenericUI",
+              "properties": {
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId2')]",
+                  "title": "[Recommended] OSSEC via AMA",
+                  "publisher": "OSSEC",
+                  "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.",
+                  "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "OSSEC",
+                      "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "Top 10 Rules",
+                      "query": "OSSECEvent\n | summarize count() by RuleName\n | top 10 by count_"
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "CommonSecurityLog (OSSEC)",
+                      "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+                      ]
+                    }
+                  ],
+                  "availability": {
+                    "status": 1,
+                    "isPreview": false
+                  },
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions are required.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "read": true,
+                          "write": true,
+                          "delete": true
+                        }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
+                      }
+                    ]
+                  },
+                  "instructionSteps": [
+                    {
+                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OSSEC/Parsers/OSSECEvent.txt), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "title": "1. Kindly follow the steps to configure the data connector",
+                            "instructionSteps": [
+                              {
+                                "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+                               
+                              },
+                              {
+                                "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+                                "description": "[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog."
+                               
+                              },
+                              {
+                                "title": "Step C. Validate connection",
+                                "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+                                "instructions": [
+                                  {
+                                    "parameters": {
+                                      "label": "Run the following command to validate your connectivity:",
+                                      "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+                                    },
+                                    "type": "CopyableLabel"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ]
+                    },
+                    {
+                      "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+                      "title": "4. Secure your machine "
+                    }
+                  ]
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+              "properties": {
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+                "contentId": "[variables('_dataConnectorContentId2')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion2')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "OSSEC",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "tier": "Microsoft",
+                  "link": "https://support.microsoft.com/"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId2')]",
+        "contentKind": "DataConnector",
+        "displayName": "[Recommended] OSSEC via AMA",
+        "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
+        "id": "[variables('_dataConnectorcontentProductId2')]",
+        "version": "[variables('dataConnectorVersion2')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+      "dependsOn": [
+        "[variables('_dataConnectorId2')]"
+      ],
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Parser"
-      },
       "properties": {
-        "description": "OSSECEvent Data Parser with template",
-        "displayName": "OSSECEvent Data Parser template"
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+        "contentId": "[variables('_dataConnectorContentId2')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion2')]",
+        "source": {
+          "kind": "Solution",
+          "name": "OSSEC",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Microsoft Corporation",
+          "email": "support@microsoft.com",
+          "tier": "Microsoft",
+          "link": "https://support.microsoft.com/"
+        }
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2021-05-01",
-      "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "location": "[parameters('workspace-location')]",
+      "kind": "GenericUI",
+      "properties": {
+        "connectorUiConfig": {
+          "title": "[Recommended] OSSEC via AMA",
+          "publisher": "OSSEC",
+          "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.",
+          "graphQueries": [
+            {
+              "metricName": "Total data received",
+              "legend": "OSSEC",
+              "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "CommonSecurityLog (OSSEC)",
+              "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+              ]
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "Top 10 Rules",
+              "query": "OSSECEvent\n | summarize count() by RuleName\n | top 10 by count_"
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": false
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "read": true,
+                  "write": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
+              }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OSSEC/Parsers/OSSECEvent.txt), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
+              "instructions": [
+                {
+                  "parameters": {
+                    "title": "1. Kindly follow the steps to configure the data connector",
+                    "instructionSteps": [
+                      {
+                        "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+                        "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+                       
+                      },
+                      {
+                        "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+                        "description": "[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog."
+                       
+                      },
+                      {
+                        "title": "Step C. Validate connection",
+                        "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+                        "instructions": [
+                          {
+                            "parameters": {
+                              "label": "Run the following command to validate your connectivity:",
+                              "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+                            },
+                            "type": "CopyableLabel"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ]
+            },
+            {
+              "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+              "title": "4. Secure your machine "
+            }
+          ],
+          "id": "[variables('_uiConfigId2')]",
+          "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
+        }
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('parserTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Parser"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "OSSECEvent Data Parser with template version 2.0.1",
+        "description": "OSSECEvent Data Parser with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserVersion1')]",
@@ -437,7 +738,7 @@
           "resources": [
             {
               "name": "[variables('_parserName1')]",
-              "apiVersion": "2020-08-01",
+              "apiVersion": "2022-10-01",
               "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
               "location": "[parameters('workspace-location')]",
               "properties": {
@@ -446,6 +747,7 @@
                 "category": "Samples",
                 "functionAlias": "OSSECEvent",
                 "query": "\nCommonSecurityLog\r\n| where DeviceVendor has 'OSSEC'\r\n| extend EventVendor = DeviceVendor\r\n| extend EventProduct = DeviceProduct\r\n| extend EventProductVersion = DeviceVersion\r\n| extend RuleName = Activity\r\n| extend RuleNumber = DeviceEventClassID\r\n| extend Classification = coalesce(\r\n                            extract(@'(classification|cat)=(\\s)?(.*?)(,$|;|$)', 3, AdditionalExtensions),                            \r\n                            column_ifexists(\"DeviceEventCategory\", \"\")\r\n                        )\r\n| extend DvcHostname = DeviceAddress\r\n| extend EventSeverity = LogSeverity\r\n| extend SrcIpAddr = SourceIP\r\n| extend SrcHostname = SourceHostName\r\n| extend SrcUserName = SourceUserName\r\n| extend EventMessage = Message\r\n| extend FilePath = FileName\r\n| extend FileHashSha1 = FileHash\r\n| extend OldFileHashSha1 = OldFileHash\r\n| project TimeGenerated\r\n        , EventVendor\r\n        , EventProduct\r\n        , EventProductVersion\r\n        , RuleName\r\n        , RuleNumber\r\n        , Classification\r\n        , DvcHostname\r\n        , EventSeverity\r\n        , SrcIpAddr\r\n        , SrcHostname\r\n        , SrcUserName\r\n        , EventMessage\r\n        , FilePath\r\n        , OldFileHashSha1\r\n        , FileHashSha1\r\n        , DeviceCustomString1Label\r\n        , DeviceCustomString1\r\n        , DeviceCustomString2Label\r\n        , DeviceCustomString2\r\n        , DeviceCustomString3Label\r\n        , DeviceCustomString3\r\n        , DeviceCustomString4Label\r\n        , DeviceCustomString4\r\n        , DeviceCustomString5Label\r\n        , DeviceCustomString5\r\n        , DeviceCustomString6Label\r\n        , DeviceCustomString6\r\n        , AdditionalExtensions",
+                "functionParameters": "",
                 "version": 1,
                 "tags": [
                   {
@@ -485,12 +787,23 @@
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_parserContentId1')]",
+        "contentKind": "Parser",
+        "displayName": "OSSECEvent",
+        "contentProductId": "[variables('_parsercontentProductId1')]",
+        "id": "[variables('_parsercontentProductId1')]",
+        "version": "[variables('parserVersion1')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
-      "apiVersion": "2021-06-01",
+      "apiVersion": "2022-10-01",
       "name": "[variables('_parserName1')]",
       "location": "[parameters('workspace-location')]",
       "properties": {
@@ -499,7 +812,14 @@
         "category": "Samples",
         "functionAlias": "OSSECEvent",
         "query": "\nCommonSecurityLog\r\n| where DeviceVendor has 'OSSEC'\r\n| extend EventVendor = DeviceVendor\r\n| extend EventProduct = DeviceProduct\r\n| extend EventProductVersion = DeviceVersion\r\n| extend RuleName = Activity\r\n| extend RuleNumber = DeviceEventClassID\r\n| extend Classification = coalesce(\r\n                            extract(@'(classification|cat)=(\\s)?(.*?)(,$|;|$)', 3, AdditionalExtensions),                            \r\n                            column_ifexists(\"DeviceEventCategory\", \"\")\r\n                        )\r\n| extend DvcHostname = DeviceAddress\r\n| extend EventSeverity = LogSeverity\r\n| extend SrcIpAddr = SourceIP\r\n| extend SrcHostname = SourceHostName\r\n| extend SrcUserName = SourceUserName\r\n| extend EventMessage = Message\r\n| extend FilePath = FileName\r\n| extend FileHashSha1 = FileHash\r\n| extend OldFileHashSha1 = OldFileHash\r\n| project TimeGenerated\r\n        , EventVendor\r\n        , EventProduct\r\n        , EventProductVersion\r\n        , RuleName\r\n        , RuleNumber\r\n        , Classification\r\n        , DvcHostname\r\n        , EventSeverity\r\n        , SrcIpAddr\r\n        , SrcHostname\r\n        , SrcUserName\r\n        , EventMessage\r\n        , FilePath\r\n        , OldFileHashSha1\r\n        , FileHashSha1\r\n        , DeviceCustomString1Label\r\n        , DeviceCustomString1\r\n        , DeviceCustomString2Label\r\n        , DeviceCustomString2\r\n        , DeviceCustomString3Label\r\n        , DeviceCustomString3\r\n        , DeviceCustomString4Label\r\n        , DeviceCustomString4\r\n        , DeviceCustomString5Label\r\n        , DeviceCustomString5\r\n        , DeviceCustomString6Label\r\n        , DeviceCustomString6\r\n        , AdditionalExtensions",
-        "version": 1
+        "functionParameters": "",
+        "version": 1,
+        "tags": [
+          {
+            "name": "description",
+            "value": "OSSECEvent"
+          }
+        ]
       }
     },
     {
@@ -533,13 +853,20 @@
       }
     },
     {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2022-01-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+      "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "2.0.1",
+        "version": "3.0.0",
         "kind": "Solution",
-        "contentSchemaVersion": "2.0.0",
+        "contentSchemaVersion": "3.0.0",
+        "displayName": "OSSEC",
+        "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The OSSEC solution provides the capability to ingest <a href=\"https://www.ossec.net/\">OSSEC</a> events into Microsoft Sentinel. Refer to <a href=\"https://www.ossec.net/docs/\">OSSEC documentation</a> for more information.</p>\n<ol>\n<li><p><strong>OSSEC via AMA</strong> -This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent <a href=\"https://learn.microsoft.com/azure/sentinel/connect-cef-ama\">here</a>. <strong>Microsoft recommends using this Data Connector</strong>.</p>\n</li>\n<li><p><strong>OSSEC via Legacy Agent</strong> - This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the legacy Log Analytics agent.</p>\n</li>\n</ol>\n**NOTE:** Microsoft recommends Installation of OSSEC via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31.2024,** and thus should only be installed where AMA is not supported.Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate). \n<p><strong>Data Connectors:</strong> 2, <strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "contentKind": "Solution",
+        "contentProductId": "[variables('_solutioncontentProductId')]",
+        "id": "[variables('_solutioncontentProductId')]",
+        "icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
         "contentId": "[variables('_solutionId')]",
         "parentId": "[variables('_solutionId')]",
         "source": {
@@ -565,6 +892,11 @@
               "contentId": "[variables('_dataConnectorContentId1')]",
               "version": "[variables('dataConnectorVersion1')]"
             },
+            {
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId2')]",
+              "version": "[variables('dataConnectorVersion2')]"
+            },
             {
               "kind": "Parser",
               "contentId": "[variables('_parserContentId1')]",
diff --git a/Solutions/OSSEC/ReleaseNotes.md b/Solutions/OSSEC/ReleaseNotes.md
new file mode 100644
index 00000000000..5bffda1dcc0
--- /dev/null
+++ b/Solutions/OSSEC/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                 |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0       | 28-08-2023                     |	Addition of new OSSEC AMA **Data Connector **                   | 	                                                            |  
+         
+                                                                                                                 

From 7a222e949aaa0fbcf52a0ecdfb877cbde3a7ecc5 Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Tue, 29 Aug 2023 11:39:26 +0530
Subject: [PATCH 2/5] Update Prerequisites

---
 .../Data Connectors/template_OSSECAMA.json    |  21 ++++++-----
 .../Data/Solution_OssectemplateSpec.json      |   2 +-
 Solutions/OSSEC/Package/3.0.0.zip             | Bin 9131 -> 9282 bytes
 .../OSSEC/Package/createUiDefinition.json     |   2 +-
 Solutions/OSSEC/Package/mainTemplate.json     |  34 +++++++++---------
 5 files changed, 28 insertions(+), 31 deletions(-)

diff --git a/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json b/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json
index d58e574247a..6daba31be63 100644
--- a/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json	
+++ b/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json	
@@ -47,17 +47,16 @@
                     "write": true,
                     "delete": true
                 }
-            },
-            {
-                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                "providerDisplayName": "Keys",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                    "action": true
-                }
             }
-        ]
+        ],
+		"customs": [
+      {
+        "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+      },
+      {
+        "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+      }	  
+    ]
     },
     "instructionSteps": [
         {
@@ -70,7 +69,7 @@
                         "instructionSteps": [
                             {
                                 "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
-                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
                                 "instructions": [
                                 ]
                             },
diff --git a/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json b/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json
index 6d5d1546704..cc7b3fba9c8 100644
--- a/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json
+++ b/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json
@@ -2,7 +2,7 @@
   "Name": "OSSEC",
   "Author": "Microsoft - support@microsoft.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\r\n1. **OSSEC via AMA** -This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **OSSEC via Legacy Agent** - This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n<P style=\"color:red\">**NOTE:** Microsoft recommends Installation of OSSEC via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31.2024,** and thus should only be installed where AMA is not supported.Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+  "Description": "The OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\r\n1. **OSSEC via AMA** -This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **OSSEC via Legacy Agent** - This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends Installation of OSSEC via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31.2024,** and thus should only be installed where AMA is not supported.Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
   "Data Connectors": [
     "Data Connectors/Connector_CEF_OSSEC.json",
 	 "Data Connectors/template_OSSECAMA.json"
diff --git a/Solutions/OSSEC/Package/3.0.0.zip b/Solutions/OSSEC/Package/3.0.0.zip
index b8a503f9af18931290aa8992764e13c18a881431..39f76fd8144f2cd33190013cb8b09afda9c40d10 100644
GIT binary patch
delta 8250
zcmV-AAjRLSN5V)OP)h>@6aWAK2mpm!9ar+w)IsqF007|^000-0JR=&hHF*PnJgJK@
zgpj4WoK2C7x7=V(_|K;#d9!yN_WQzK2lVC}>l5}P+t<=|-lq?@Jrqr3GMe^ApRHE?
z+1Hzj*n|RrHWqI~NAy$orZ2(zGyM&Evaf)>Y)QntwcNM**g>v<UmApVzHP3CotKUE
zIR}q$?<ysp(l$`B()#WxVSrtK#$IxbX=+D(!Q1Y`LqBCo2cYex3(SO5U)bFs5+svE
zcyjSqnGm!aB~!K)EEQ;vj;)Q(Lk|F=d3y!hR1Ca(7z8!iNGn%LG=%37*PDWVWpq{U
z`Ok?_y#644|H7^_RbNr_XZ=T`xT91pH2U1Cz@??Q5#z<8ZFmC=y8BXp4C!GD>u6!}
zMJaK^oY87{N^5m3DT<Nr$ZM&H7*a3lz=L#hhi-tFs5?_~-_<!_J_*c%tHfwI1Kntg
ziEQZLP3mc?87onwE*lS$IG#il;beL;xg8Bt{R4=KI|PzU6EPiq_4;~<Owe1Gd5f?Q
zc#Qj(6NY3mJ?h<t=U$+HKl4(~YGVBY-T7p8^2O}r^au_gs&4Djp(<{lS-_VVNZ=)}
zj4oe+wGE^dUkOFxhtW_ftYlgx;mvU6>%%yE#Pkjd5?D-#Rc@tHOi|ta;Av0y5MlpA
zNLb7ijB>kIQ-5(p@*P(wxi4VO%W(kYI9!kM(eMHsO`;8nPgyO0H(@Wnq;X8F){dRN
zfJRgAq4JX{Yt|0pZvug_bRze9N*X`o8bwE+mLccM(fM+8G-V{_Pfgj;ax`6zyeEfu
zAC92<b_b_~ZD~ZZ-y`}N>snG@s0P|?(>?HjD1WkfP*-iKiam^`ol!gxS}C50Yw5f<
zPfDWnG`IF9-EKpFKkV7*%z=6A&6`K>$2Fw?f>Cg{cSM(AYVM5^Qb#r#z_-tqnpXu9
zw?j|q(Xh)*(I?S1=nWC(Q9W|3v{NFiA~p2r!OK6sgTR!%mjy1C1=~z<cg#I#h^Op+
z(`fDPFv38tVA0PtG)*;g5|qu4Z7)XDjAMU8k26~$KoPNj#TpQQ?D;xn;dxJQ1W)V=
z4on69z7r$@>K?^uB@<r6L^oNWBVDHa7Yf6yKJ-5hN9*${fA;HF{_44v_w|n0_qy_|
znb<~vK=9>C#1++=h`&FLl=;WXK1J=?=>Mr~(a&ACnQxWmSFWBoP&^*Gwh03Yqo%NQ
zIYU*$<;9zSsV>mLFBb5IGC5cBBjmz&0}*}UvcFuH16)ZsDq^gS5#6IPk?S>HW_b5e
z0<2#mv!0)Jn|>{fB1=!g#L&IQGj!(k48Is2D0oX@(+Zx$oW&eQU2ToGK?BLEBD4ru
z#Gp3?(X|crtF(L6H7$eL7y%fm{Qy7k1<TJ465#uP?(CO_2N^lE(I0Yq55U?<x;y=P
z>>Bo3ko8gT8(;cD>3LtOkmgyVc~|knaABD2?nC>U+9d#pqO69bs-u~+-eYTYvzErX
z@qfv!fS~dJz^|s@Ja}0(Cp<xF%x^o(J4DQrsV0U2ks1vmYd(wzA|2%=nFH1u2Jdr<
zANcnfZ%|7E1QY-O00;o=S{+voE%R$r8vp=j;gdfI9DlgA|GzW+4j8plTRVE#O43eq
z6SuCj56|Y|8+&)>PMpco6fCi!NR=S%XgBF+zvtjV0wlnPY$r-0-aA{1#N*)Lym0UX
z^7|kEKuGV;%%9VR*Lz5M^E6$uhvTt$Gg^3&H=_$0r6cdRETJPmUdV53JlWg-`*836
zaBqJ+rGLvXUSYX2x>$x@N=N@@arCF&fOp`>Q3~IFrU?t;2>aO|?cx8)?+coGQ!hmd
ze#aN^%FEJuoM6#sfuF=IzD&uGuxz=Elk}ep^$rOVjqq+3NCLxJr*W92&>2Z3LF6({
z$cxj{Z;yId{DbIu=_MZY4uolahq3Raf>8MiUVo;mCB=qWngr2I^@+p>(Nh}D(m8zH
zFJ4dSrI&^2&t91Edan}7;w<s$_eq>Bcl#sN%WJ)@3L|7&%uj-)q^b8jPD#e-bU-e$
zlth$H>6D}~S$d2SFIf!J^ev2=rR3MAvXkNIJkG-D5ULLUMTb9l$<&Xb+OH!*exW3Y
zSbs{rDYi<|IVHbd$H`l^^n5y0Wd2I7=Yc;b0V7kI1Xs}IWfCuV@u!C*uh3I;e-M9s
zP_t8QvK@cRjO@&=S0H}S;qJ~$I^z-%6CtmJDIrmF!^jYXjG|Pa#NhZ8vG6*iKK`{c
zD5Pe0M}6Pv_g^=U-57Gs$lTJ_YRJE+{(ndWgmTe;8qdgK<b|s=@EOb{O(-c;>lE}R
zh-iq@%V?S{D?`zg=E_R~?;@nS&VWS-LQZk5ioVIqy~<nJ-Qh2H`mc*(YG$4T`B+*g
zZsoIPQSKG?1WKp^$5Z^qZ5NY66qanLehyX9Vayoyt9^(jbaIO?I?Y*d6i1iA>{xiZ
zZ=tyKRc}uFq_>B&3?Cv8x;Qx!7S!H$O-a2UM=@ugstNiIN+O$IN-a5_?k2^bJGm5%
zUMy+CmB9;-p~h^UvT-i@Y-d1p#mPT_<_w6|$|?1;BuJAk3m1R7q&~{#zHVR~qZ{mu
zYX-M7XsSJ&`oo<;76t#wsIUjS?HJH^jY6soCw|}18?!a(w@;FIn)$g%NqST7Ej0+y
z)nf2q4=LXn>`eU~{s$2QI28ksZ8)p*s!w!UL@TWZF8Xs#uNr)bL4_7hauqv-pva=Z
z6SoFWnl;$bd`*AhW+iratD5*6m3UIC#PzJH<4IYGC!4ColNL%m>8ixWXg5@eCoPq@
z%phPtqe*U<xt4u<1x*&bDHUm+c7tB6_D;29Wg*v5tTFQ-raq-!0?Vr!H8XhPBIk`s
zPo+l5#fg`n#J4SzI<*jl9ci}RGTm-(R<3T!#PEcFE;A|3EMDcEPECd5Wo28(V=j}m
zl}(JOs%2HmE9zzPvc%}TtMd5P7#<7PlWYtbJH(i)E7R7RyiDS&02aw?EZL<riz$Xe
ztKKruRxgvi$vu%v0ga$n0ln6WMsgA4baoZZ)g+S``HbExlfVobf2}v8<#0lm25nXT
zx)>Qu5fGLJ`WjXa*;q((YeA6N#8=!V*Ficj@=8}?7KyO{<!!;LHd0e#c0=wy>6Ulo
zSCVf|IV!aOb*YhJmT({+%#V3<mTwl#QqS+^PhHTP+(y0AX^t-pZ>bSbQOf<{-aV^Q
z=2dQB9n6r}()PNFf15Y(Hi)>1{+>oO3H+aqEoEG)kQc}W|0lW3v6q9AK_yk9=RK?>
z@_K2IhGOEMP~bF-h)!RNWG%T0Jo1#zJby(FXIdmzYGRpPgaMn=B-dI;K~2G*dCA*p
zeC<|rIaQ1&Iel;GT?8SB8fFl|XJLZ%6|eVtSE=yz_4SD7f00HJO~-vgG0<R88md&Y
zZ6orMUeW~HdnE~o{R}l)WQHBhLLt`YNxem!VDc9JT<{tr$DqCGG!PQ`lKv+P5^i1o
z<-s^Pzs?}yqy(IC0#ZOcXj52zC`7=rc|-&U<icZgD&G8<F`)XpEaE9qnNWp~9>c;=
z?UFN1Sz;Gqf3w6}&i_|*T(uDDu}T|0m<|QGR$0QcIQ2p?i6BK3lhpQpdEJnLJWU(q
zg_p!}Bay4Tuvk>sD}1oMer+E=^T2Y`8!({cug>Bn+212CvyfU0N?z+f)xn%c<UL{8
zVgbtg8%TScMd@yzT&#Fw$YEY06&=89UgFIy@BruQe+;bXTH{wP<0xJ%;z&6IOm^?`
zvGwZ&z+)*cPhUz|u}pD^D`&xilE-A>z1zh<xmiVH)jyBk%ba?^q8MX?bj6GGZ-GJ5
zAO%-2vLhHC2#dECvy`toX437bF}rzmB{wG=eep6*c0C0K!&E5#Iynb+_TNAa(ddG*
z<=O|tW1Gdh_x7ePo&p1J&TQ|>3qon=U5*YF7ff`9ld$jLT`yoKGH7^6F1?UZTe%N*
zBETUp0)}yj!zuGpDz-Y25k=iJIfX(*0IGiLFvcx1CizbS2BGQd3|0)-e1f}-UNj}w
zleiBde<y8bB(LM4TS=3Q)-(+TITKoyoYIiyMcpN>g3doUo4;+r7_&Ld<n%|nx{-|N
zk^zB+Xq3E#R(arqu|?jeDLUlUDHXfeMlgk~gw#tS5j1%hah7ULV9Q0kg%Q@s*ufn0
zrI`5d5Iju)@!=R3T^M_fJ&a6;*AQ*T*X&R6e?<x_zhM!i2h$<Q{1E!+uO-=y%=`#K
z?fEjsSXTn=AFLMJVHFXjkYt>W)08gPa)G6I>EN4hp1(Nz_Te|*kh3{L8_WfOOn|fu
zg5htRbBuxMyQOer8fc;+LMCT1L3hF5UaB?`r2!GXxqUw%Fx{nh<LdGP3ovpKdQ&<e
ze|{MFZ*y81H^Pi(n{$QoLWnEmvI{?lF(_h{8YnFqdxZf{p)|7~oo5$ZSq{0f@c#}K
zHRFpgz8EjSsncYvGI?ywyBmwdrToQ1iBbA4?GKR8oJ$lY1t@}s6ytadJ0MV$3i9VM
zOEDbWg~bt+S%GhqgPDRK_W64pmKUu^e+(58nSmq$E_8y+00_u=5d!N{utW=(7o7tc
z%e*jzC7|~fmP-43!~F+j5ky%^xt&5Sxx%cFcZp=>0235lsK+hQI9pCJS>uWf9h%!(
zrjJEme5^iSe8V&doDLBBj&Ngz#QJfFkQTuy5kM2pd-5G$P?FuFZ@=r4(-i}5e~<-b
z40CO~U0~C-mvHG=5c}HpJUWjK$nzM46MKi|xJ^a{<G>muG2w_DMy><+aRJi|N(U+u
zs7Vi{5;a>jFb)t=Hkbu`>aAR!iP#_Q!%#STP~Jfja8e})7oI<dG1l4G>a;YqCU|7g
zV$K{yW_cnJ0Z!uG3b>VCQ!oO2fAW}I_Y?w$lVoWtMI)y=^t}j~9?M4J2-92((5R~*
zi6iu!1HyF}i542;hjBJ#F44uu9cgsn{e&nX#sPyADp^HBB2AXpnhCw_f=ADUQxBq<
zNHpbqF=wf&Rr&lufDwRoixi3AL{Mjv6+uLlp*OiQK_%XaZQhmC3ln5=e?k7m`0Kni
z=$Lo)VE;ZjJ35g%xIZG#z+Az?ERj+MU6Q$XMaju3oySo=R5g^0Ase{qhkoK~{DtUB
z7{Wuc6m^C&@hv-<jL82%s|#?6qG=F!w1j3Tx686=+%NZ68x)z2zd^h4sg*K(tf<f0
z3YVaQzXTlO+0ePHkjG)ie>E8>qsB=Rz^Zu#p<a!0smH!{HJ=`=Vkw8(z04x}T#7_y
z;Vr!75?xza*dDeSLY^t;;S`hW8BNLX1@Y<S8`%X-M#~jZ(L&-~k3__f75k>{;6cU>
z2AY74fy{Bahrj%V6CkCu(*N&!AIR_f9~zllXUD{or&EsN<qGrNe@{8X>#I5AV|*Ox
z3w)gQ+@hcxRB6PdD;E)fvSMP3;f{ilSKo1=L!n~m-@!lErM1O>KsF)D8p8^0nWbaK
zi5`kyqj|ar`yzT#Mpy)S3?g-uZ4V|I>>}<Ph?+IlrC<@5ukWO7c1J=O6k^vp8}Ev7
z1>cBn{;+${v;ZSWe_=!Q?BGMR#V;yr1J15Fg^)eC%%fYmYL>~h!s1smsd8VE+xg=Z
zjJ61W<r;djmj}QZD64R*iYUZQ^DtU2t(3bfd>giUT%sz9)10yaNi6287_#C9?}{_<
z;m7cLypNmsyxLH<t-GrasJghhPA<-HZ}o+nJXK3CRU`6Ef6mF~n3QKqlQ_eT%6S~8
zcjlZ*omBl(nF{n#wQQ~TO`ZMHjeN_!5&2n7PNDU8Wfe7z);)k0hVQUqHRSnzoN%Y0
z>`t7_yeRlhY?*5%mvI>Qt8=c_ubviZ!h^zDd2hYZf{nRhr05RXxRv`OA}W}crqiZS
z^<|}8=|!2%e--xL1htT#K&cGB1Ewjja!Zg8S=&ULA`A@o_;%Sc3{p4VRs!P2Cg@Eg
zvJoNyRMSYo;XXMy%EXnlf?7KOF(ii%RZqdVTe3H#uqeh9Sxa8s1ga$45bSpOy_^`8
zhjhRblyuesO4P(w_+uUuvS_i5?)==Noo+=?KKl-$f2_x>-sI=3S`s7Aa<!)hg2x1E
zcr`3-cTlWU2~;m>Gwd*k-eS2NQ78H+ZROa8-(*qspPEJ1*#=gCqY;0sku6omfyS#M
zRbSg`t9>DBRs86v*C?cV9jW-IJotAVw9`wjZ6Z_yKQ>v2-qhR|>j)Q9{g~)wC%xs;
z6|yaGf46Q8bTxFUYUy}suAH~));qZKjdtU17;}A7R^afukW4q?_{)nOZf+17V};JD
zqt~^^1`RPmT`bT&1~B}F-RC#?`u0BF=*;2MyZG`>KD^0yclX)3FLs*2Te3#21lLgV
z_W1Fem}*l;wKmr_PBl1jx8d>?2`*gt4RGC!e|YY%3dh|5lddlB*MLPg!=YQkpv_RZ
zG-;j_>RTPe8qnTP0_m+Au&-q*YoNRC1Whwkw+^Da0npsn?U~g8hOaWI6Zrk^K<{;9
zs)rN1VZ`<DVRN-!4;O9)6SgL`)<Az&*=~||i*VqzV8AVrl3fszjd0&)m~Rujx0;=(
ze>8Jj6W9RXZJNuk3bxx7u6q~4*8t0H%4-?cxnxzE;kJzyc?+-I!fQ7KUfaAU_BF$3
z8{xBd>vIcm*{=*HYujgO<n8UiVYe{Yy95N?9SpW59>^+1__W3WwZ;Iohqtzawbp@z
zS^|V_3S<3J;Hz$EP$yW>+DMe@RNe%Jf7;n;ZzkOI_F<--8MB3xer<5l7H-2Hc(idB
ztz1P5n5fJ0x3v0ez(T(uIH=v$x3=@0Y<DY|XJ@Ol*>KLTFwVL>aL22WHsQvef}Z9b
z*Bk6+`k&^GyotF3y7t!T_KrO3mg|>(N8Y5WvZmiGB~w4YJMt!WNN@*?Ltf<uf7Zc;
zb;#RZS8?+OHtCMMs#N9m3M|D->hpi-WNLyb4xb%5sy1OM@`7IzrXnBo26$RKVV~jM
zc$LK-Zl4Pf#S^|s@H4aubMyGWWQRAr0|m%??kaJ=Bud|0tloGFk37b_O}2>M1ef$(
zz*5kYBbCVcA!aE@IS+Pr`b7^Ke@sJb={7E4+uqW*iMRA^qOf5P#nTdJWL9Z~IZ{uT
z8Pu1@n|O`jhR$bq)D*b|*pzxKIahqT%=`96!&X6O?e4(cK$wc=*MKtRmD{08^5PxP
zC0d=$yV218!I@C>F(_Nqo~N&qsEP;AxBZK)_$ZEsVk7wHXKa8m-bzd6e~K@MiLdsm
zsE`{P;W_{TP(`AuGo*>{5is-RP{5mHZ~sWW3-<W%<ukskdlFyM<aAEMa8UgDivU7Z
z-vH5rqo>E}d+{fHaGNgoR#XQ@yLU<CnuqgH?v$uk=2C@;Nw}aI<E^~rI5R7=)jt+D
zmW>X5dN~CD@FxTc4Pl~(e|c}iC9s|2#sq$Wf1UbC4WAs6+`+mwL$%b?I!4_>x3<u&
zPX^s`2a?U3TI#9yXl*vR^1}KKHXc%iQC=4NseG5Yx`AOTOr1;SeY98M;%T58pMrL5
zl^l-9kwIm%eeE_5-e<{_ym=0x^}``YW8|B%(tUD+f&4@VD$oJke?hS~xOW5me(qfb
zGn5-^mPmsF4~N486HFjpJuwXzS9-$ti6^+Llk53TBP({wMi6y|+nXTe4c-Ip@_li!
z1I?Ee5ET%<2*G`;Cr2*}DVgfvK^2ujVC{=U8Yn6<Ye0?^4lV){h%M~$A;}dDjuY4Z
zeZJe3DqbI_*mqK-e+qSw45($W$QEROH2GVen}`0mJLRB^j{dQAFe38yA{G(f5vb*b
zq%UJ3xxHTSZkjE@q#^@w=wO9|lq2$d53zpe^<@cv#YN`+h^Q@NwNWgi>l_e?a%h)s
zg3i0D%2vdk+IVl&ho%DVI7vO-_55FJ<4hWfsp|JefNmPee{L#p7t?TL-!*USsmkNc
z#P57A@STr<-nm`yjzu8aM?S^VLSpgh6b%*6-GOwfj{~2n;(#|`%kLJxBaGy@u0s>b
zQ%l+qSCGv%i$BeVNj$BAKh?*XWhov<BC>cI+NiBxKg1&8T#Avu2d*w_2IwTol~r|+
z(R$Im*?6X$f9j67CiSch3NF29hKbz(Fz_W_PdEA6ucvchQAqczW?Tr1<|}9Nk{zy|
zarU;op03^1HR`bvv%Q|q`ct#WI@`9_)2(SDR0G|wr)!7QQthvKEnS7&uGi948t7`^
zRMopc2Y(6I(%IejTG!GU{MN9#>!KjP;A`nBF~iLbe?eo6&{=i#y4!2%w%5|Nu|}-~
zcY7^en``OXIcU-hq5i6%)0=o5-6nzuI~)%~ZhV@H@ivih9}7iWHzU55r~VW-_igCB
zd>S<D>-O`uy+ly^vb{ubdx@ZWnsP{G<ZK;c);7~yglubsY&DzNf}xG@q|X-#Tb9Hc
zE7c5>e`~bxTV(4N*}6H%))u%9yT@pQ*|<yOY712?9tVB+d`yJu7MZ$5rf!j`ZY<<_
zM|M5}^z`$BoZcmSyF*I1P|_`wR0u+Is8KvM5{XZ%@Ix#95ul=9Aw;wZ8oCA~v<AlM
zgmB)%3C6Av&q|l&6k(~G##P~FLpQrZHtVv9e;sci+Jp;o3VND%S#Pj|>EGE^bb<%v
zJLt@N|JL6p-QGc0<PgNFO5_&4s9WfS2s!>u!-_*LrOj^t`Z;|b1!+}@&TCb)XENO1
z1J2kCU03yG5Ft&)YT3GDv#wU<4K%{5>6wQhgWfmRU4RlOu#i-1X<SdvVzI?^%D1xY
zf7>A{IdvF{ZONu~^L?xHsJgS56#v$lv9~w}gRC|ec^SF8$h%Sdk4BYhF$puw%gNu)
zf>KVjc12vQmsk60Q0P#`ht==d;(`|B@h*-+kFnz?Mp^zYxD12@@Xb<K>M@`0VzDwG
z^#>YAJU`w2=gzKgH1Zz)r~i2O{G9dwf3Z9I<{$mt!Jps%&-*|3!TjADki*=ceyhwg
z12bClG*MFC-#zc?gO(C?-W!nf-g&QI*IM7;&66wt2bo~a841*b!C=+-JEdS>G2(fQ
zOGNd{D0iCp$4hJg%A5)(bW$#$btsCcE$VW?pQOpj3#u1Y(w>Qb7y?Slzl<W^e+3~u
z@xW0$=6_b2z?VOGY<@cT_GKCTX_R>pPD{nKH=?B41UL4_^|=`6dS&^bX^#DirYc2&
zd=I+%mTQRl-qZ&3n<fnw8uSS-KIJoBd2Me>n^#L8+Uyly)byEeOA}J9V*es!{D|*-
zo~HP(pzQM{Q)8*70+UwFOqvSZe{0puy`}>9TQzgPslbC)%{*u-@Yhz&{M9UAv!b=0
z@<fl1de))^dbf<E;Ga`(=1iNoHegh|q{pj{MSGFI(0sYAsAaibS!!?Uk-G`5nLg%`
zJFya|0qcw4)%B0Z=VUq7So!z5fVf<|47F$zWEyz<b=GiZpzL1J8A~){e;}QY;ECEt
zu7Bn|Z$aUF#auP0W|u{gtlV(gPDxzdF}ju~@;W2#)w4Zq*M!*5D{W8P8MW2Ia^p|i
zHCTi4F}tcUXt$JZK29eHDHp5IW66`Ytl8RFsXDip%yeW!T4Z3lrFPa%tGH8o)-+1n
zIj>Kfv`v?6(<Iw8$u>>0e@&AZZ?|cZZJMOER8xUXPLs4qk2umI)^tc|Y0xJ9(U|to
z!tFfRzP*5{+f@V3^u_w|&}QX3+TBW^wb5<ccH^=bH(0N@vli_a0D7hE`TsBc{QnJX
zQwc{=XQJG|l(kKiQ=K(AuVw=31h+#%!L|T23gl<=OK141nEU~0e-tC#Q~i)GxHvsp
z9z0@c5=XNGj$wZ^mcPg&x;QxF3qr)MUQqJLBlCn_K0fc2z+LLxl+rx*Hj1yKfU%6S
z^WFjfMa0iXWA6Zwo~ai^5@D9&IVHtMuz4Z%7(#3>#VP+3m<YXJievj6Ne>lAkH$dW
zqw(_KJc1$MkroMQe^w_{nlB=#j>iO71L?d?PBTT<-R4$;rdByxTQzN7UcfuD-ccY2
z8i)AbFgVa=&A8d2n7yIx_}83<OB{pb08W6Y&OyX{Y#exJ!l3hmpc>d04@HP0jnBkM
z195(2L^KqjKspy)HP*K9uKQs<U@ZzQ@^VBJlZqM3&t|Zke;(kIJlY}olygz>eGDwG
zVf<4%^Zb<<gEj-!6L_~b1)=EGEXWTVl*k?nvC$MAPY4!-TA6dK9q>ZTq9JAlt43<@
z#RxMdmCiz0aePn+2aNWDV=AF%4g$Ye<#TqJ&B(p|5m^2EgMwHNrk-bvuz8$?@)(nG
z=u;%IkV<}(e<dZ-yV2?BC(gWQ@;E6LLHs)=5ERtZdd7wGfFG2>bdQ=jetghsMr=Y$
zqhZF%q6^|WTm&;r1Ay3arI|vY9)#RZj&k#+SYnDP)8=q8$oVEhHvQv%(U8l8bHWr|
zKubl9t2U2YtM_iNU^JP#1~7QG=JWHD*s37c=2B~Se;gWf<BEuK!4}E!)>VDs>K_G*
z8DWX9v1L6NJ}6Pl#J4xOw_#Va^B%blrs*6y_}hc!JNP-L7-QwX4_dAS-1{QNdZt~K
zZJ7Ughxul(D3I>HW#7IR^WdJdws-jaNvUIB-YL^-0lICxcTSdbOR#Y_SHp&UmrLv{
z@P=lnf5}}9$9~&xm*GrqG8`9rVf_??tlv7DP@-J_>Ds2g3=)=}h!xZmfqs{Ht_Q>Y
zznivBtwzftD~(d|O2@aTtvQ>9Ok)JzTQF5UmEhtLBAzlP;7(F1&N{lrrT#1icw5P}
z=2Hv2b209oI8rL0_J8~X{Qv(0P)h*<6aW+e5dZ)P0EJr}SMt)-LGcFw0O6A=BRC)I
sS{+voE%R$r8vp=j;Q#;;000000000103ZMW049@xBP0f>BLDyZ0HR_Nk^lez

delta 8077
zcmV;8A9CQrNUKK|P)h>@6aWAK2mra299Pje^=k450082#7ncKn419%Z3^8P>FlSRF
z<1IHB6#nxmN#5+;hyBK|*8;u$#{7i+$o93gt@r7}Z4*TonT)2r*=MU&fB5yrA~vA_
zsEx(j&=URFz3EG^{!o8|rtC{#FIyHdZ!Pz&K6a2R0GKABoo}1FVdrIIea=B7+`CGN
zr?d@JthBy+N*HK=m$8>zW1QMiU+}j3@X$}0(gA6E=>j$3)EIU*hy}?c5uRQARVIY(
zM#+?I1xp3`qho8M^UwqUY2Mz!HWdT!9tJ^;Hqy$K5)I>d#Pz12Um0DMd;W8x6t6!>
z-@vfzOx0J^{8|6eDDF5_3ynUxDsXElZp3)8Xgl5jgYLe66hnU4!a7=*d{Ii=FlV$H
zp3+)fONwITTk={eVusX=I`AN!+@T#HCTh==+;?>jm`?(;AS*F?&OkT%Vj>$pc$0db
zYQ{<wsmsQLB#tK$ML3zBOm0WRRQ~{`;tqi%)5J_iU%kE_A`|@9W!@s}10Li4<%A)b
zOpkiE;kg%o=+C^Avzl4IKzlx!oqRDnIX!~IhpOAUbf}8kXBO}!CK8CrE2GO-plt(b
z#aBX+_+d1Z3M-jbNq96|`T8)<9x=Uxf&>;5qLo{z6jM}pKY7~IJw(|55E2$c1+(1l
z)zn`ck$lG$O707o^Ku*jIS$ujd^EfON0Vqn;!{?C%T3seFKHeVt+ivPFQC!Xd#L<m
z%9^!<_?tjrES<=`o|4ATxJJ>@r)9|ba&*2N9ZeaD`BPJNv>Z*BBk#%K-G?KnzTLqo
zVOtuJ?DvR%#=4f&7pj4F+jI}SAj+R?9@JG^u3`_PX=fA<gjR|t;#xZI&6AQSJ<YAX
zNw?d7&<}fdI&+{Nd-LYe`*98FzhD&H?H$o&n3{W|gw&CZ2Jr2>r6yK^#qID@dNu4)
zQ}ju+4SGa`c~p-aEA5mRt4IyKdhqm*?;tQ`?`46DWkEMn+#Pcd8sa&--!xjgJB%=}
zD_Hb%4NX(coCIg{W7~@nH{;mf(Cf^W2v9_SY_SH!AA7$}S$N;mBf&Gff&){5!0!Z!
zfVx+4TFHbLG4V|n=t!3-|Bb>hs}KE;!_oS@%AfuEmA`s!<$b*)_Pwq=Z6>x6AP{`H
z5^+VfCg$%?BW3=zvQJUFHu`@mTl90+ZRT60`IW0D4it}vu5H4A!l)@MUCvO|aCz~6
zXsQcz@S6oZqD;<}{0O=5<v>K=xa=?2<p5U_j*1v-V?_6AOyqivrx_l8lmP3O$gJn5
z-KJj)qsY>mFfnwm@eZ9iJ;N`C2MQij*tCM@FlRA`QCC~zZO}lnst7GY7BT2eL3C|H
z{VMHVbxq4)HbwwOYCpgae8cjyg9P}0zB~J+;Xy_YZS;rS-UG09lI~8w9=nFU7G!<Y
z`^uNTQF`9DDx`VVXx>%)FkBcWyZg|-rgjMcqA05&sp@FvtoPU&-K?dtZv0<zD<Ek6
zKk%z5I1gS{%?VGC8uQ!E@(vO6WU7f_K%_>4$eIu1fk;PrN#=mHhQa%s;s^d3{TonA
z0|XQR000O81eP3EcMhB`yBYuhjo_0$2poSlw*P-;_B&v-owb$G!&Z{r+1$ik*J)Z$
z^SZIy&Yd`u(iALlO_3@=+HsrgXTRs*K>{SehioTGBHlY)i^SvL;Jk3~1M=rz|3XOb
z8|KgH!s|UCy?L50*@N*|ycsRL$eYmxjna|#N0!i$A1~xLHlFP4{%g2%Z@9BNp3-P#
z7++zzW4c&|UP?#*VR7`g-hg-D$59I3exV5q;t2cM9qr)%$?prAdQ&e&3jV|w@XE{5
zd7NO;XMvx@EIv!gkg#mIjFa@=3-t~O5{>X~7DxiaT1Ro1rO+8kB|+pYPRNU+qwf!s
zK?xXtS4)Zwvor~!nd%dX52B|unx%92x?8-S(laj$(_g$W<Mm!Al*L)%(;t#JTW<G9
zs+Tu<TNOsgwwRv;OG#7jd7P4r(dmGkW+{m%ozf{uW3u!ZBVMu?rs+A1o2BHpr?Qjb
z(LBz==@6<8zoWw+y=3agQ0=!7A-_@*L@cF$-V|FU>70_^F5~2!Ej^zO6`8-0%X#3>
zNx;aICcy=Cd6vWrUi|4k$t&~}-5<msAJptrn{3D5G9x>)>otfUbhy3siq5!1#6-v|
zVM<8U+%Pf(A)_c2C^0xbMJ&7ysgHkc4GO8*-csMU`u#V}V>gCeGcvcdwHorTsy`Bc
z0ij&<pT;w?A9>+b8u$$6k|vZCs&xc<6GSw`>18y{mX)DsN^{{Qfp;2GU1z`|1R<xm
zRz=_D<zDBlY;W<GTm3ghF*P&KfqX126u0tOvnY29djcg?fx{_&<F<>*Aqq=2R6mER
z=rCrC`qe%}6FRxY7oFxTIEbUOV0JiH-L+6$`l>glebU>*S%wc02wj{U2n%X&yQZYx
zkE58gPt^o{2PKisucVe7PPdcd&#hdFMlY5$;mY8JhfrfSPuVyZeYQ0qy5i&?KywB}
zYvqXgSrVj^EejWaw4^@D=B{pF9HSd-jcW$CHE60mochD9K^6tSXH?jO?RE_4yG9|^
zh7-SQ=#AN$^xH3!c$)dSNJ)BA@0=Qh=xQ;zzk`%-4YsEK7XO2Y0UU_|$TpnSdDX`{
zEuxiH0~h_drdJKV#Gpb8C%KC4Lr`SV;E7v<C(Rn{XuhU@aI+G-yH!nmj!HbKRpNTq
z)bXUO#FKSZ;z<i7o^(}WW3+3k#FLgvTxJlkpV1^Y%v{U9zkntS-js?oPrE^{R(q@3
zv9ge>DAt&H5K|vfFM;J%jhY!eagp=Zq^DA&<l@B3PvYB_Nu62<!VWasZkcYkH!D{+
zWn%b}e=ajA%`9H!olZ@K<7H)A#bYj$m6c75sH$aE$}8$+^0LI}ysPr~Ru~=&SCeZD
z89T+8t1Hvin!HTnivSkMY%JNOG>a*QLaW{~&{i*#oylF1O973b7XiK0ibiq~<aBlw
z&DA8682OCeYm>hW8h_lI(Q-JUOM|v5e^ZPMrU(d21APrEhiojQxwRn3Y~m|!lgl8T
z7kQ-%F^j}lfbzCrRU4_PF}oqRpLEMR@+-+VryLd9|EAPPF-tg*59Y_bIm<VTW~t{-
z^QSK8O>U#!=`_a|hPTuRs3_&`aObX7Df24VunuNOY-xK{#edBkI1eIjqJN+fO#=Vt
zLrWQ#D&z%n!T(t<bL{1yWKc<!=y?w-iM(DKq@kGj#}qgXBcjtcB3Vl=0*^eUGta*w
z`!g+)D>bpqPQ!rBX_9NLqoAhX&%ES(8eh5<T}~C_NlxEedZ$4MqJ|kn@L8B(ea-8=
z*;Xoid3ibFd4Hr)MALDfPz*E}l!hwRY}<&uqGvS0_FhW@Vn0KT7MWp3vrvfjc~Wl?
zCz!m2KNq~l$T4VdIt_$GzM{WpLBg%ecOHzB^XnKQPD;QTCm;pHgEocbhe8A_n@2=&
zKu$eIr{c{|83U@HWD!q^%7iL>^cWU~YG<5j$`ZQ>n|~$Va{j-f<En*Fk5$_6!E`9d
zwaOA6$Eg>JNdzgPn54G%%j<>|<Z0R<FT5m<8;QKi3yVdCy}}3E>o@lCGY>2`y#@nH
z{^~ehlHDEhDhsK_pyaiFuMXxUBJT;y77I|`KS0{!EK0Zg<n)R+h8*T4Qqcjt<|W?V
z01t4!j(@?5t~7q-G7jR!B94?Zz-0F}A6vgp06doB^7NII70VQtxN;mUD0xH{-n(u5
zlbcmER{fLcz09cxEQ&EUNUwO2{tYll8l>O?Ms@(h17Y!2VwUn%hfKO1HD))DF68Ef
zqc2{@$*!lsV3-QUUnl3l&i)6eAsSs!wp@FUcw@78`|i%v#ZzG5^_lHmctI!)z01*|
z;)03Ja1wSMyz2$*r3@M#kTWl2)K>0;od|Hqi-2Jq;&95ml!~oh%7~(Fnw&x*A^=st
zbr|Co8I%0S0fW%=>KIlG*nEP!j9xS)my@>-A%8F1%t&6xL${J98Lep=3UVg2DmkSg
z&5OEAS_Peda5jI_f-z=un91o+^y*qNqDuw@8lq8h4z2RQ2V;x8Pg8Wr>mw?5v5jB~
zTM4O`L?USNPU9@qn!uKecnc$}k+Fk0=1Vd0-ywLK0OG?jF1j%G8haR-4lg0vjxX8Y
z;(yZ=R(``GNDrn%koh6>(O*fj8=3hLgxd3EjIpW&+CNw=w!<nSN+HQO9Y-l$uH*ts
z@zUO%JI`MnfB)dl9dbNJXoI-`kO`2MK`{J{bB-}EeYX^DOao0cM9AbgCg?8s+cVWB
zqBJ1FH@EKx1g5+6Zd_enU;#!>LvKn4#D5P1|2(IaaU;xlwmDZQFNC;4F1zq^7=t2K
zse#g>vDX;z6iPD-(s_2um1UnR3;*v>Q8PXb<J0j1oH|X$DwD^?yt}bTT*_ZOlo+M&
z(*6MX%(+BiQh*|8NHLDbumb``sUUwIvlPR@ZCD&ZnJe&(axhcy!#;nH!}6jl5`RO5
zL}nmKfD4`AEC2#>UWCB96fDsK=0)c~#xgGqVF~D+!%}H?XSjQxEP^OYDYsLoB^Q_#
z^3IT~9AJW?3-!1q8fVKXCTm=gp+j?9%k-h>i;vaki*J|)fzts(-w|%CkXSzs5z-<!
zB?4%|c~7431tr-&`2I<s99=Qs27g&l#xU2$+XXgVdI^_~1+lMfPok4(k35e-II(wV
zj@x8ZFb=Fi5)+QdVdOG^AEz+Qpmd-jftvJCDp9jl1LFV@WrJD3r{2otnTXxdE)0dU
z2jv|k0Vh>*aN+rL7-OA{txii*Yl24>E#}NYWR@oq5#S`=T>-b!OA1DSPk$bh>z+d3
zaFQ%-rD)_-hrSmf(_`649ATPk0UC7?ByohEb3nKbBhf-*{4ma@%q6<`xFd}Yyq^#y
z#5iD(LM5w6NTkW~N;9FiUGV6caOy!c6N#prFXk*&wJM)K2rvS$ZjmApoCxYnazzjk
zW#~<=Oi+n;Vw-m*^}+<1Tz`;%G5$Jl4Lass-QT@Ojt^c+9o!v}XJD>iVU|cKgD%P3
zyP)LdRXUHOe5h(D8ACR3(+~Z`m-q|Ol`w<{WGU(lW#U_QG8vKogH{*d5=GM>?q~_k
zP;Q%L)3{&muQn($9e;y%<5MeT_*hY&wH3}l1%C}V#IvDuSs{<Z4u5MhP)3cHNdT+n
zD+u*!luJGKwX6B`U=>R_)b3Rl+2>LuG7E3vEtlxp%EI=b%@FcTK@X>xT+V1phA)Uu
z&)&)|Xfj$}5fv>Y-sMO{3|X;n>JA=c++d&y*ciwhmwWj8-#GzNN-O>Ux$}Yix%;7!
z$#r&2Jb60hAYNW!zJL2EXLx-zXMBv0BYlC7vz}WNbb~65m~`bL0#H^=Y%$zYF!K5d
z7djLwhW;J=b6r|n{0C$cqO38j(3V*`W}N7u_%)iRi?A=E7iEM+kjEfWN7?pZqQNfW
zzJaJ&V_gasf%$qOZL>QP!k`el*4cPlj4Sv?bn}PZgQf)-L4OJxs%Hlupe=q;SsQS6
z%_)TJ!C4;N%2l&Wt`!!)nn{)WlHAT8reL&1_$$}Ylbt*O&Olj(TUA6MZkmVDa%rX9
zUE$lX)x#21QJm(K4M<`!U&W9WH+WZ^fe${0*W-O$$LH0CvTfa6eL&U4&2@5dhI^|o
z+~lcRdZ`+bZ+~)5HpiqqQ<}sXZdA_WIK4IJRO+PapUPCAkE&&By>II5m#*bo?vBVW
zYH|v#zb&h%X|(PEv@m>&6{{i7_v3^+1!Z^QWadS|A7aZ~E4hrrz`r`-YW@0YktW<L
zoRxR(jTUUo4I@Q&(8jIY8xc{#v^1SIg{m(r<w`HgY=5q>_d2MB`~*s6_#H4!d6gT2
ze8}1++7w}6xW~86mSK>(@wO5WH#R|U8j+0<380!r3J&+l!BHlzq!rZK0f-?ve5iT~
z#@&*=A%#UTrpQ|I;yO?z*@j@Z%kSmHs63<to}i?&4p5>dw!$Ctn2<$_ZFJ}79_@51
zg7VpS5PxMoX7x5dXVsDzd6ug^H4r=|P{XTXX}g1BrAnZBNt<DZL3EDgazvfzqqLP{
z8-9~T)qiRhS!Wwq0gguesYbR`83!7#id21LtF88htX1)&qh6zs>UE^zAMxPdb<j>P
zxw45+4gAz(A$n7DU#ufsO!Z@;m!0&MOIOIYz<=GkHPF@2sj8*prMYt6tXuEk&ez(F
zyJ5`rO<94%t3oo}h~qCWcDTMlXp9v)tBzjR9vd{o1a+}M_ZYzN8+M=H<m=n}c%w6i
zPw(Q(JNfV?-`(A3=f2o!25-n3wGv!I$=l<{uVboB9o5=g**MkU#NCF=S0uP_;n%=*
zH-F-}zbYJe15CQQyk7wp-3*6r34=C6<<g{iPN;8n5Gz1?KMAC_Zos~lsjPwSx)U_b
zP~AF+?ixUI-?V2|0~o%_q)y=X+XKDVjj0|^?1mB7!-vh)dOcjY6-?Ng)LH@kS!KIP
z-VMTmSAqezL`rr+NH)TKn_<39@ZM^6qJPrNO-*0}e79*Xzbe>nSGewN2wwv%w<)h>
zSm%;eX@=W2TI3D9b_1_n6L@X&p4it6qiuxG+O5wGz-7NOn5=D|rIEKc1BczfU~dx;
zbbBz^mUtkm6yehv2h<t^)E?g24%S)+5^4z$x-N|MOM$Ptp+TKsK`SFss#AF#7=LPK
zr@fwV)0>Bxc4o{5PWrXMNn5xLd*IQ=U9@r)EnuQ9%iq%KuK)}Eg5aQbTi@Ewce35B
zV4j_=(t5)=yTUl@^1vOhMp}m(dkT7*cU-Tro9Ta=JMt#x4(Q5Tr<*(StXr;M`W<<b
zs>+&vvy@Ez{O-t`*df6kFb;W@Ykyb=7uF$fdsW5F8(611@~Tpm*DJ6Tuc*)ep_8cz
zrr3YB@2J{@rN|3@O_+*&&}-mn?Sy@XcjHwSd$@frKopPpCc!VzD$LEJ|B@}<@D>yx
z@42hQ{gNnsdwTWOTX^IV=54Y?^fox7?*f*Bo*bw|&W|xmIm&skwbd_r(0^bWT1z)^
z0o&%5zID8%ZykjVdnlfkI3u%4E6kC4y3C-yJYL6Z1lM#vyQ8Ma4Zx<<W68PV(`DW_
zHyXAII%{_aZU@3tG`|9rDX-iPRgxF)fG*MMY;H7cyo7H9jj}PN8$>Fv_Ys78bE9G7
z(q#j=+CZ+lK(5>YVDn~_dVlJbw$0{LURd9G#>1sB%Cll0l<y8#Hy%udsk1t~kM=5D
zJPmZ?Q_zmBlKl}mFsO9z9?M)%$8qpJOQz)Qa|nqa3^|G--%OQo3T`lvpNK&dyZRh1
z#NOhb3-J57cM;4`Zg3-;ma#l!I2`VoTmRzKW7Ax5RVRE`cY=E`xqo(VH8NnUZ2C}B
zxRnV~-r!x}Dc{8w`^9__K%$uNB?Im<JwA9<$i`HM`YCq<VX!aKUZ9@Hq5(NjsI>?T
zAGWZ~ha}e@I8I!t_xavbsyKX@V&6%T*wY~`pp3yHTaew+<ezya9s0vb77z+;i>okR
zJTz$G@_7@?d^r^EUw>rTzfHYU_DFn3Sd|wNVRmRFH^U3wO|vB!Qe*%Q9c*uqa{Qd{
zAu<oq46=lO#RcWwh^P%-wXG{7h8(_#(r1@x@H#Wg&Y=|_r?$x(wV<hhJML6ZckTXe
zWmHHbF;%Tz3y4f3*-Zs*V;T<Zd)$pZRe8LgXq(RkZ1WMYHh(t@wXq09`*^2#T1YHD
zonoNkxjjft^>LsnRUGgZZ29eiZG@2=*L7$DZ)!;!4t;voY_s^&Y?#E;8m3cyoGa4e
zaik54r=gA7`t?IB(!-_5_y^$XvSxrzl3Y1Z2N|uG%Il3j%Bk*%LQ>Dl5Z=;@W>D8P
zw)elp%j70s`+sF}4&(^weld&-57B%<OkT3XMKR9aHkZk@yJ$u|R$?}n$ytAD7FlQ8
z<}$ezO@wNo`(<+Na8;`P6)%yiklXbVxk>|F4V<ca8(7{i;SxE!`(Ei1IfLICvUXL>
z;un00TqS0>z9DFg5jv}mUUzee+~yLwHrA+>;BGFFYkzZzTssF%ngP#W70`JdFOOSC
zs9%S}T*!@2bB*0PGVWtxUh8JW*Yeb#;-0-VotIC8U47Gj-ZoeMX<s&1{%x-OQ%^OA
zRB7g>CUA4*Uwd3@S3K)&2;b()zYYF$gFkJDKW%}-uq#;`jKyu@OIxU7@i^$i=VRhX
zH~7&Fet-0<#gDo^taeW6Bj7_nFI?ztvbQ_#bA$KX;5~&PG{+akQzMc1w2C>j;vWIe
z`4!?goA8?};5KWpmQI}I4ID1)io>jQS<d5?x@lYrt~b82E3UFG<=632pLMu%rl6;J
zEA$%MjQ*|N?k0FpzShmWN^kYe%+0lKMdCm#s((a6;fuQ1O^A@=p9!ou<WjEe=5KV<
z=TVSWmFT=yMSCX0-5ubJ&CqpKUj`A<R4kUQ+bXMSRo*}&2AUpwhy>`}v1Ut4$h|^R
zt)+1}Ig7<U&=KEnvZrcQMruD4dxuT!=9^0=QFZ$-DgOB|V*_vw23hR@@-lJ@kawdt
z34e_$)nXD0n3t2kodu<wXzhx)STC<Ozo5{*j1Q~dv&AVb$m3lcgdSsukBzeYU2ql%
z3E(@Lu+(Ed-Ns^NKI#uNka&K&{qL=9-)Q7L{7?VU_Q?tBf4e=p^KE~7@Xh=GdH+ox
z%-`Js+0Xsy_sTpoFrzh36D8$M*pr?<Xn!eDC%pkV>7DfYb*=Rc-aNkWf0S9(oRL61
z7z|dOzat9v6(gQUxI|RHjB-bbf4Ia3pv;kQLNCh&v<^iPwU1mb__H)Qc|rA}O4>8=
zZ!JJc`Ik}TNf6SP9yp3e{Le}g`0_`O&5!2Zt}KH;jWRF7X{ng@MwC=L)y5{aK7SVj
zU9T)3G|jPp(Nv`<kZ%-M-*OEx-<#TCe$%AELW4fx#ixA6E3fTMY4d97Lz}(gi<&<3
zZD~TPRqS7cj2~cpx;RSl9~Rl=OQyzBO$8>cnwc~exZA3kyG;e|wQA;GQ-S-fnz`Rp
z;2*7;`G;A+W<_f~<x4$2>RF2x5P#b;+<|{iy_qv@;@Wjl@sb{|Iu`9k{zCKRwxX8h
zc4eu(uIJ(=xMup8=i<alpaxMdf>+nS$DWhrSYzei>jL6(@i*1x8-q*(G{4Fk&J2{@
zD>`F|W(=hBIXO}L!1XVu=Pf8Ou9&L^)$Fn;l9d~d#3_lZJL}f+*j#5=ynlK&N8*}b
z^?9YukvOBaT3D|Ak+=qHP(BM+H3sdL(#>by1R>>O6?!ar(v~$_8!J`k=8~C?Y)Fd?
zOt;j|%4rpMO3#``X*=ijX_L0;l1-XqlP1}uNj7N`<LxF*vPqNFmTD@n&S{bs=@Ca-
z#F`E%Ee+bFKN`~>TDYAD+kZC~Fx90oI;1aFkB8PP-_h>s0IiK~+qP?$#kj_L#htZi
zzW~rHZ4T*w;fM6EVVg=giaHbJ2BxfRqMYii$$2#sP$#$@5(>5jpiv+{KwmoMR6P+h
zAdO<Ad#WGP1sA7>%e{vzP2y;_$06(w$MP3>NEds@d_joV)l*6ydVge|(6dJ;y%M;K
zNfMOivGXXti~`0o%1(NF{1*{FACA2}M0(<BFNrWq@o<vjBiOu<dJG}9XW}S+3QUCF
z&&1h!4y1>QqlaT4@8Nj4cM`!6@EnVTG^=AN%f{ORs^c-i)j&FLlhaJmb+@@Xps7`k
z)>ciM=k0h$){6w>K!4*9{~HE-+N>GZFBG#kw4M2y({PDnkQ~4X5Y;(|n2(JE?@SnU
zeqc@m`{J1hjvFP<#6bgbXk<h*6reyl7hN^hw(!n<_CX2VSPl;nr9*Gw0c%lck(VQ)
zm{iPIel&yS^Z=ja$qvb<oQsO@V_<m=<Db%*=U<62Xft3vc7JzsQxJ+?&4T=}L5b`!
z7n|ZVpp_Yi+9@u?C>ml_ux6wNTZ|}UQpqfo6lVm5Fu>?eIffE?=AiG>D{|+~el{a_
zcSm5~?+t)Hj+dTijIeo}h4OgPX|DbJ<RO|RB#a+cNr`k|bUON(^XD0!sDWm%2twR3
zN1)K8)>ABe*nj*e3}$rH<nUvGc&`YT=PAU{LCES4=Fn)Ev9gGQSPmD#443=;5#bg~
zNs%deOtZg}K`y=`3e!LC=BCeSl{pQH1kj3#W>(D@H$d;*hTdp0xAtJeY|ZEAAhA_J
zuFXr<ZXz_MyA=`Tf-Umht*iRNdp`^oGr|&IW6NsDdVkQ9n2B$1a|gmMW+y#z8BEhT
zbnwsn%Xjc|PBCoCfA6&n?%i7*#uBAnl}+USc}MPM{3pQczGW-E7xQ?Xv$nVY{Bfyc
zU*6@?Yk{L}yzfnxb4#%Oel7<9*Rdcq+OTa*iKiJoa$Cc(-*Ve!IFsuP#|21OJ!>HA
zw@wh0D1X;~x^|w=f`p|n#iHo30JO{0)&1e_zf4=F7MNv`l}4#}r9)QKZktU*rZHma
zEikE`%31NC56=w~a3?7h#}{4WQhyc$ys3Oy^FajOxfpj(oDvo2`M>@J{{R00P)h*<
z6aW+e000O8xs@DO(Kz*L@&^C_;uin_7XSbN0F%ihFdqb#99MS^oG!Z>0052P000pH
b0000000031AOHXWCzBW?BnA;900000<j{pa

diff --git a/Solutions/OSSEC/Package/createUiDefinition.json b/Solutions/OSSEC/Package/createUiDefinition.json
index c325a865af2..b71daf79448 100644
--- a/Solutions/OSSEC/Package/createUiDefinition.json
+++ b/Solutions/OSSEC/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OSSEC/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\r\n1. **OSSEC via AMA** -This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **OSSEC via Legacy Agent** - This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends Installation of OSSEC via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31.2024,** and thus should only be installed where AMA is not supported.Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate). \n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OSSEC/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\r\n1. **OSSEC via AMA** -This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **OSSEC via Legacy Agent** - This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends Installation of OSSEC via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31.2024,** and thus should only be installed where AMA is not supported.Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/OSSEC/Package/mainTemplate.json b/Solutions/OSSEC/Package/mainTemplate.json
index de463cfc38f..515d9259967 100644
--- a/Solutions/OSSEC/Package/mainTemplate.json
+++ b/Solutions/OSSEC/Package/mainTemplate.json
@@ -479,15 +479,14 @@
                           "write": true,
                           "delete": true
                         }
+                      }
+                    ],
+                    "customs": [
+                      {
+                        "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
                       },
                       {
-                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                        "providerDisplayName": "Keys",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "action": true
-                        }
+                        "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
                       }
                     ]
                   },
@@ -501,7 +500,7 @@
                             "instructionSteps": [
                               {
                                 "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
-                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
                                
                               },
                               {
@@ -661,15 +660,14 @@
                   "write": true,
                   "delete": true
                 }
+              }
+            ],
+            "customs": [
+              {
+                "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
               },
               {
-                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                "providerDisplayName": "Keys",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "action": true
-                }
+                "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
               }
             ]
           },
@@ -683,8 +681,8 @@
                     "instructionSteps": [
                       {
                         "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
-                        "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-                       
+                        "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+                        
                       },
                       {
                         "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
@@ -862,7 +860,7 @@
         "contentSchemaVersion": "3.0.0",
         "displayName": "OSSEC",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The OSSEC solution provides the capability to ingest <a href=\"https://www.ossec.net/\">OSSEC</a> events into Microsoft Sentinel. Refer to <a href=\"https://www.ossec.net/docs/\">OSSEC documentation</a> for more information.</p>\n<ol>\n<li><p><strong>OSSEC via AMA</strong> -This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent <a href=\"https://learn.microsoft.com/azure/sentinel/connect-cef-ama\">here</a>. <strong>Microsoft recommends using this Data Connector</strong>.</p>\n</li>\n<li><p><strong>OSSEC via Legacy Agent</strong> - This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the legacy Log Analytics agent.</p>\n</li>\n</ol>\n**NOTE:** Microsoft recommends Installation of OSSEC via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31.2024,** and thus should only be installed where AMA is not supported.Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate). \n<p><strong>Data Connectors:</strong> 2, <strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The OSSEC solution provides the capability to ingest <a href=\"https://www.ossec.net/\">OSSEC</a> events into Microsoft Sentinel. Refer to <a href=\"https://www.ossec.net/docs/\">OSSEC documentation</a> for more information.</p>\n<ol>\n<li><p><strong>OSSEC via AMA</strong> -This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent <a href=\"https://learn.microsoft.com/azure/sentinel/connect-cef-ama\">here</a>. <strong>Microsoft recommends using this Data Connector</strong>.</p>\n</li>\n<li><p><strong>OSSEC via Legacy Agent</strong> - This data connector helps in ingesting OSSEC logs into your Log Analytics Workspace using the legacy Log Analytics agent.</p>\n</li>\n</ol>\n<p><strong>NOTE:</strong> Microsoft recommends Installation of OSSEC via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by <strong>Aug 31.2024,</strong> and thus should only be installed where AMA is not supported.Using MMA and AMA on same machine can cause log duplication and extra ingestion cost <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate\">more details</a>.</p>\n<p><strong>Data Connectors:</strong> 2, <strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",

From 4ae3403be6f6fe12fe98145ba3ed01e6ca8068de Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Tue, 29 Aug 2023 12:09:51 +0530
Subject: [PATCH 3/5] Update template_OSSECAMA

---
 .../Data Connectors/template_OSSECAMA.json    |   2 +-
 Solutions/OSSEC/Package/3.0.0.zip             | Bin 9282 -> 9284 bytes
 Solutions/OSSEC/Package/mainTemplate.json     |   6 +++---
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json b/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json
index 6daba31be63..ce773908818 100644
--- a/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json	
+++ b/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json	
@@ -100,7 +100,7 @@
         },
 
        {
-            "title": "4. Secure your machine ",
+            "title": "2. Secure your machine ",
             "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
         }
     ]
diff --git a/Solutions/OSSEC/Package/3.0.0.zip b/Solutions/OSSEC/Package/3.0.0.zip
index 39f76fd8144f2cd33190013cb8b09afda9c40d10..57b965e446df341afb3c4deb22054b32fc07771e 100644
GIT binary patch
delta 2279
zcmV<D2pIRmNW@4CP)h>@6aWAK2mnZ5u?!>#4Ow6vSI^){j8z)|0BEy42<sAm)`zAN
z?m$UB-4*>`YXeOhiK#01MxbsQ$!;oe7t?TL-!^aTsmkNc1n_(=_??dc-??4%jzu8a
zhd#yALSpgh6b=>7-Jx`<j{~5o0)aPR%<mSzBaGy@u0s>cQ%l+qmypdii$BeVNj$BQ
zKh?*XW+@&=CbD=M+NiBxKg1$`<6H`ozXz@^YX;~f$(2@hkkNY8yxD-JoN679+5*_5
zp0!cIr5DXOu^S);zQp_KCSUvgbPg~I>3-LY3u4iH=S*I*!`(B^-nRGCwY$4UJyv42
z_tRN_Y8F{%+xC9CHBE$Sp!@xF?Vwt!{Wb5UtB~9EUb;#HT@9S7dKd72;4k4`I=lN`
z>s~s8-x^qVT^QsSd@o%kX1KW_Xp9j$tBziGdoSJgUb;5csFmPu@1<*VFI_taO`0*(
zUln$G6YrzjMD$>X^I^!1PjfTgCNl10!D#Dd#MkoFpW^Di4V{-y1BZRxe%`jX2x?!p
zw+L=;5mZl84yg>Ct%J;e+GctSk!=l;t!6V@Ftib$^!Y+z%aT}QrJ8YajTU|jZQVj!
zHwW6<0@q>p7;P{ccL`l>p^C-hpbwvq2~pibQ@7C6Ei~1Qg<S8<&PRZreqNB%yJT;7
zNa+?zx`mPoL1+#&il;^*@o5!)XvIGQRP-x^h&Dk(*MNl9z&M?M5YAgT!q^q!S?RKz
zA}n>&xGLOi=w?^QW?eS1;}t}ka6?W(PxCJ84R$d7JG+Zc@SuDNoq6%!`un8YOX!Lm
zf>>3F+`<=i4V@4n$3JRVamb~#+3nvyr_ZAxtt!!Zt%~+chWmTK8JnT&s=f>&q^Vdf
zTX$^M)vCOKMtC)UJ@XJ`(EG-^3s3?D7LsZ$jqAx-EVh_V`Bs*FJ47X?4nwgm+0<^n
zZ*?A3cNUZ4A3HPl7Uy7))#f5EBX<{hH){XUs8TH^VTO4*`P*4g%8Aylh>P{|YF`Zs
z9m@Ey`aN4*(1JYP#Zl-ncKpOB%ijf;fsg>cSqe)%=F?q&ELP^D{y+nX=cl{>+}ZVw
zM&85!^dIk@pR@iyc1Pd*qrW@&^ZWmK|K~oKzk366nETUjm3d}hMr)oXO3M4Y=RJMU
zQlid#19ILw@Ad0i>l?gza^?RZ6RbHSfqF0)tU7<E6znTTJdbgSsD2scP80uli48!R
zQ{jY8$_2E44n+~QMO`lVlQcPbLG_|a+B5MlLqJLSmr>-qAfzWAIEu&o&q@>c@&}L2
zPv_pgEQ3FdGB3hushIXglvJDG#{RfI7Xw|dEFUz@v47E2r6`c^L08{$4Kd%F+F*Xu
zq`^XiKH<fue8wxU?M-R(YUx9pz2b|SKJ#s9LaJ4N>|cb8AMu^f(-i+1lzqNrYAn@M
zVA86YNmGG)t(v*lRN#KAX6`o?c+jeu2TcY3+NznqngwiDwANFe=<!j{TC_m#mXQ?v
zbL!2UX%p85jEa}^c-66JFY*_fFSix7EVnC5?M*#$H^DX2$2@W;RsuC(eG$C6{`L5r
zEXNvuEB{^>5SNRWp%!g|OaqU<&Kk}Pl-(;jV~J)Ar1KFxQTxdC@4V+ND4egDs|MBV
zvM7?38&2CPiK{zC*YZSOXT-gFwx{iy5c_$h?P)uswpv(j{As%eYfwIBS2YIhmeS3~
z=>#F=VikHUdD50OTN^7?=k}7Bj%-Ma3{1Cw)Xv&z6?aO{nnr0m=k;lmw&{{>nq-?M
z*``UhX%ge@Hchfklhl@KDzM3Ek{0O^M_R<14k;}S+N3`k(;iy5od?^u7ch0ZYQUMk
zSU(=xtb9kiTM4u_x^3HTTo&U7>lJs_qWuCuue3e?|An9bzkzKk;V9}%lpC0`wuy3o
zs<S5N)l5L0;C4tT*cO0Bf&6TK=?q^LlRqGhVx)VjAJPREr$@_!M=VX^Xm-Fc?2pFs
z7kNY%2WNaih}hK&N*;M+p3uw3=e-iROP!lin#bNo@pTk1mQi-zJK(>F`1xq;9U#&(
z^@2zu%u+n3r1%InFQgtri0!2~<(~q76QTD@acrL>>7nB2(HO{kG+rK@M=%6D(jp<v
z>V!)3MFiFHnBZz4owvzprs%rc+)B{YDo1Oprp?O>ct_Sd3gkfJ5dRwn2imL|H#-!w
zH?$r9n$vKJV~`xc2@useh?tL!1Mf^2bbb(21N-8k2yvwGnK)@6&X0_Uh5{6SNav!f
z#@ZI%bw8{JtVN+kUXF-jQZZxs*$kG`1ALN4J0zcSE-Jo{f#o%fe@bVbzY=56X25y^
z@Ajr36up`S`C)?+*<&F#nxf+g!GcgLbB?tGUWi#V#H?V|NDaOiVaBA=Stu)x4+`Oc
z(Oz&&CG^Ze;1{cW&JME~xwk)m0;_+2P!P+()borHHjlGV9%C{NeTpO&Qpu09q(pi*
zIvxGQnfFW{C&eO&f5!xZf|^>-xNsiugEE-zQ8UMn4_eKLO=xK}%vf1;L0pH6V1{V`
z5L>P^QwY?9klV>oZr&72OfhBJ98Lx~-$cl!f7~w`a+z>Wn4$}4si<*()#h<)_1^6j
zj3#r}00z(2e13isTNUKmTx#u(Lt}1S5m7GKB01i=sxMsqqhK*3Eb%qAtOvsfC5oB&
z_9pi>>}q!2BiF$+okItId$4>5Kj#!<to-*u%awq8U&L6?w5zfW^FQw}-wYN7(%rZ0
z+xKD~+;i6U4xc|Mb?nQ3J7sz;K(~$e&dG9a2{!KLYS@tPa*3S<-p~v+xvSyWZ`<uM
zoXJgw<3ca2pJI^pTW1qWl<PlT+timq!qOA5f_fs*?=sKzV7UKx)7GigXjx>XQ7T^P
z_!hM_XVZ{rjKF&frmCkBTs%U=Q^o|`NlL|8N7uO2pTz)gE4kJod}@JrF2>yxM@j|M
z{*Qlv|NnnbO928D02BZK00;m`Uz4^YLk(GA9aqobNsLt+003x{1|&8Hsv`gZ005H1
BXCMFo

delta 2277
zcmV<B2padqNWw@AP)h>@6aWAK2mpm!u?!>#4eVMSR}L-nYf~El0B5s32<sAm)Q6@5
z?l?(3-SzxmYvW8BiK*)MMu2V_$!;oe7t?TL-!*USsmkNc#P57A@STr<-nm`yjzu8a
zM?S^VLSpgh6b%*6-GOwfj{~2n;(#|`%kLJxBaGy@u0s>bQ%l+qSCGv%i$BeVNj$BA
zKh?*XWhov<BC>cI+NiBxKg1$`;arN5zXz@^YX;~f$(2=gkkNY4yxDlBoa&CaCiSch
z3NF29hKbz(Fz_W_PdEA6ucvchQAqczW?Tr1<|}9Nk{zy|arU;op03^1HR`bvv%Q|q
z`ct#WI@`9_)2(SDR0G|wr)!7QQthvKEnS7&uGi948t7`^RMopc2Y(5F*V5VD_gdG|
z8T{6;y6d7Kzu;@>Dlx;&4MAg!&{=i#y4!2%w%5|Nu|}-~cY7^en``OXIcU-hq5i6%
z)0=o5-6nzuI~)%~ZhV@H@ivih9}7iWHzU55r~VW-_igCBd>S<D>-O`uy+ly^vb{ub
zdx@ZWnsP{G<ZK;c);80BTZC+DglsjN*@B^s@TAWd30s!L8Y|TdlWVl_TV(4N*}6H%
z))u%9yT@pQ*|<yOY712?9tVB+d`yJu7MZ$5rf!j`ZY<<_M|M5}^z`$BoZcmSyF*I1
zP|_`wR0u+Is8KvM5{XZ%@Ix#95ul=9Aw;wZ8oCA~v<AlMgmB(}!U@K%5YI}N<rHD5
zo5oe)W<xi-LN@ENi5+hs+Jp;o3VND%S#Pj|>EGE^bb<%vJLt@N|JL6p-QGc0<PgNF
zO5_&4s9WfS2s!>u!-_*LrOj^t`Z;|b1!+}@&TCb)XENO11J2kCU03yG5Ft&)YT3GD
zv#wU<4K%{5>6wRrAcNjF)?I)SD6o)JYiV3h&SJ5}bjr7~?AswKIdvF{ZONu~^L?xH
zsJgS56#v$lv9~w}gRC|ec^SF8$h%Sdk4BYhF$puw%gNu)f>KVjc12vQmsk60Q0P#`
zht==d;(`|B@h*-+kFnz?Mp^zYxD12@@Xb<K>M@`0VzDxRAN2<sNIXB?{pZfEZ#42A
z{-^(V_xzmo|FJvz<{$mt!Jps%&-*|3!TjADki*=ceyhwg12bClG*MFC-#zc?gO(C?
z-W!nf-g&QI*IM7;&66wt2bo~a841*b!C=+-JEdS>G2(fQOGNd{D0iCp$4hJg%A5)(
zbW$#$btsB|s4ePp!Jnkb$qT9%Rnne`e;5Kv%D;>v-vuE(@xW0$=6_b2z?VOGY<@cT
z_GKCTX_R>pPD{nKH=?B41UL4_^|=`6dS&^bX^#DirYc2&d=I+%mTQRl-qZ&3n<fnw
z8uSS-KIJoBd2Me>n^#L8+Uyly)byEeOA}J9V*et4Wc-Nle4eKGub}MnB~xRmrUH{z
z%}kmK+-ud$y`}>9TQzgPslbC)%{*u-@Yhz&{M9UAv!b=0@<fl1de))^dbf<E;Ga`(
z=1iNoHegh|q{pj{MSGFI(0sYAsAaibS!!?Uk-G`5nLg%`JFya|0qcw4)%B0Z=VUq7
zSo!yVx`4P`ybQHy6J#2A{B_oFW}xg|(HToLV<4T6;ECEtu7Bn|Z$aUF#auP0W|u{g
ztlV(gPDxzdF}ju~@;W2#)w4Zq*M!*5D{W8P8MW2Ia^p|iHCTi4F}tcUXt$JZK29eH
zDHp5IW66`Ytl8RFsXDip%yeW!T4Z3lrFPbTPOG?6de$^b+c~dKo3u@rY||v$G|4ti
zvQ3j1Z?|cZZJMOER8xUXPLs4qk2umI)^tc|Y0xJ9(U|to!tFfRzP*5{+f@V3^u_w|
z&}QX3+TBW^wb5<ccH^=bH(0N@vli_a0D7hE`TsBc{QnJXQwc{=XQJG|l(kKiQ=K(`
zIj?2{>IAn#Lcz8GGz#Qr^Gj#=s+jx%X%r*fQ~i)GxHvsp9z0@c5=XNGj$wZ^mcPg&
zx;QxF3qr)MUQqJLBlCn_K0fc2z+LLxl+rx*Hj1yKfU%6S^WFjfMa0iXWA6Zwo~ai^
z5@D9&IVHtMuz4Z%7(#3>#VP+3m<YXpUy5V<97zuqM~}up-lOsI;5>pM;E@&yX;vpx
znlB=#j>iO71L?d?PBTT<-R4$;rdByxTQzN7UcfuD-ccY28i)AbFgVa=&A8d2n7yIx
z_}83<OB{pb08W6Y&OyX{Y#exJ!l3hmpc>d04@HP0jnBkM195(2L^KqjKspzHT{YIW
z@UHt|Jzy;gE%I_i6qAY>%g<)8oF3qlJlY}olygz>eGDwGVf<4%^Zb<<gEj-!6L_~b
z1)=EGEXWTVl*k?nvC$MAPY4!-TA6dK9q>ZTq9JAlt43<@#RxMdmCiz0aePn+2aNWD
zV=AF%4g$Ye<#TqJ&B(p|5m^0y`-6g54yK-GjIeo}h4L7aap+Sdv5-oBlqDt7yV2?B
zC(gWQ@;E6LLHs)=5ERtZdd7wGfFG2>bdQ=jetghsMr=Y$qhZF%q6^|WTm&;r1Ay3a
zrI|vY9)#RZj&k#+SYnDP)8=q8$oVEhHvQv%(U8l8bHWr|Kubl9t2U2+TdVhOuV6Hp
zy9O|Lw&wHmlh~>t*XB}dcN`jX<BEuK!4}E!)>VDs>K_G*8DWX9v1L6NJ}6Pl#J4xO
zw_#Va^B%blrs*6y_}hc!JNP-L7-QwX4_dAS-1{QNdZt~KZJ7Ughxul(D3I>HW#7IR
z^WdJdws-jaNvUIB-YL_6YXQ1#ymwBPb4##sH&?@ke3wh?EbxYAsL5Ro$9~&xm*Grq
zG8`9rVf_??tlv7DP@-J_>Ds2g3=)=}h!xZmfqs{Ht_Q>YznivBtwzftD~(d|O2@aT
ztvQ>9Ok)JzTQF5UmEhtLBAzlP;7(F1&N{lrrT#1icw5P}=2HtFymK+`o;Xq}p!R?K
z1N{I015ir=0u%rg000080EJtVxFbUi>{=aH4lVO*QyTyPXOjpdHU_98000002b_ih

diff --git a/Solutions/OSSEC/Package/mainTemplate.json b/Solutions/OSSEC/Package/mainTemplate.json
index 515d9259967..ecbf9798fcd 100644
--- a/Solutions/OSSEC/Package/mainTemplate.json
+++ b/Solutions/OSSEC/Package/mainTemplate.json
@@ -501,7 +501,7 @@
                               {
                                 "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
                                 "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-                               
+                                
                               },
                               {
                                 "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
@@ -529,7 +529,7 @@
                     },
                     {
                       "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-                      "title": "4. Secure your machine "
+                      "title": "2. Secure your machine "
                     }
                   ]
                 }
@@ -710,7 +710,7 @@
             },
             {
               "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-              "title": "4. Secure your machine "
+              "title": "2. Secure your machine "
             }
           ],
           "id": "[variables('_uiConfigId2')]",

From 68656806ada77c3f22240ea349a87a8ad2954d78 Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Tue, 29 Aug 2023 14:00:40 +0530
Subject: [PATCH 4/5] update template_OSSECAMA

---
 .../Data Connectors/template_OSSECAMA.json    |   9 +++++++
 Solutions/OSSEC/Package/3.0.0.zip             | Bin 9284 -> 9319 bytes
 Solutions/OSSEC/Package/mainTemplate.json     |  22 ++++++++++++++++--
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json b/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json
index ce773908818..9512edfb507 100644
--- a/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json	
+++ b/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json	
@@ -47,6 +47,15 @@
                     "write": true,
                     "delete": true
                 }
+            },
+			{
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "action": true
+                }
             }
         ],
 		"customs": [
diff --git a/Solutions/OSSEC/Package/3.0.0.zip b/Solutions/OSSEC/Package/3.0.0.zip
index 57b965e446df341afb3c4deb22054b32fc07771e..785fe377f4e263a288c341bbe0b973eb3ff5a8f2 100644
GIT binary patch
delta 6839
zcmV;o8c5~DNaskfFbEFnZXH*O_KM1Q8vp<#=94}MFn?ZW)Aei~zOi?A?!=iaO~Dcy
ziqsOM9d(m__InN<BtQau$abPl#CvCJk$4;&oEHv$Kz{q<9|-CFnfY_N@OlqPZ=R-0
z_HaBFZ$=9*@@8~Fqjco`Crjwaj~DVA8&CH3|32KiKiu0NPw6s@S6J?hE|#H}($T+J
z9Q~;`;C~(Xag@ThpJ>8@IKqDRM|=2x^813O-qcHxg5U53yz;Vi9w%7zdEh58i!W0$
zBrIDl<0Sp(LcK$RL?gVL1(Lw9)@dAODRf3sNf5b=6Y}!(^t+=T7XK)EUV4cKy#rxd
z-(l=~sUTFof|u!PNwHy;CP6e)eIoHe^o&Ncbbk(C_lwt4dg*0h`jZ!Cyx!}CvN%h8
z`mZF;mb?9t>gA2zR)rC=E#@b|Qqt6W5vL?$bUGjxSxO>Gr*ulvm@GZUh?gveY5ESv
z%~JBqGug@TbRK8nbO=?4-_qgtUNZG#sP@Z<ke?|DB9>Bbimj4#PRTFVaq^BWJ)aI0
znSZ~K>v`bMNx;aICczbSd6~ouUi{f1$t&~}-5<ptAJyzsn{3D5G9x>)>otfUbhx|o
ziq5!1#6-v|VM<8U+%Pf(A)_c2C^0xbMJ&7ysgHl{3<{~)-BI6n`u#V}V>gCeGcvcd
zwHorzsy`9|p<MKz#WQjkdEqJzd<Jt#6Msqy)j9>e2_hQe^fH=e%gRtRrMdEwz`F>k
zt}|c}f{;^OtD<l7a<B7Nc6a#8o&KAmn3|avKt7fhid*@tS(JN)J%JLc!0{Bnaofe@
z5QQZhs-HtubQm*6{c0bg37y>Hi%xSE9L3RPFgu>^TPQAl)tl2k>Fwbx!-oijE`Lsr
zgax&?T~ku;$5G7Lr)q+}hmy$VS5ixkr@Kk<=T0s~qnAsXaAokqW2iBkr)->yKHC`(
zU2*acpg9AgwQ@@RED6$8-h@FFHlq#7HF&O$b`CYMrj94dy`3(pkFvS18yLsv20P=L
z!R-v1Y7eLWaA%N3!LJz=_F%Ui1AqFiQAoAn#P1t=W40#!_DK>?Gd~w8NpI@CqXr?m
zS_~fSA>})RovFXW{~%%jr(yuI4QF*;^@&c4Xr<M_MSrg8Rf8`vsL;Ymu40D}6j?NQ
z;@03vvj#hwuPNND#O`iY6Te3#p42LFJ!|TCQdZ*0rYiBIg%VG?DzP!z4S!YQNlPUz
zGYHtvXp$Rdu4Ug{L6Ze<N=2Hd-Jn;iy;JR2S;%!1Ys@@|sZXhw!1Ag_%?zHn$a!nh
zQ>jsMapL7?@omebPAvpsN1AQ7Ot;&cm8+XFF+Aa)%S<ziS9zyXQ{i}7+1Bxx%Vce3
z6C<i>S(WmNdYQZ|F*@(6Jb%75hR4FSho=_x)d5z@65CffIypETn_SW4>pvLJYcb~P
z%Cxm6FO&ExfJHJJOLi&EVv3>As<#ZZ)yrgWa!=$^KqKf?K(Do;kz52hon1w9HOVAK
zKBM>As*1y66{}Z-WipMX>}6E2g}?v&(S(vi&wuC5XgQqFr9oSjzkex422%utrGdVN
zl|wcb(%f1QWH#{?x5;&o&WpU#m6%0hEI@f%u&RyJ)R^6nyHC319r=~yn^TSo?SE5h
zq?jcf$Vc;I-kjx|MYGiNoB2~0^d`4a?{u2u3&UG#1XPrAf4Fzgs+4(^8(0T3B(}7@
zuHxnmybB_3qW?uBntufTkH?lWE>*}2<bwaBT;|xzLCK(!D$(;ERuXx=G)O}+@lPml
z8b(B?Z$z?|Tm>F^MrWSCB8M|Ak}EZ_%r3%!&1sTrt)rl(;Lp9}-88;-E4rL2#*>`B
zxAZQ85JU|#h~Tp@!TOrld$X%l`1<;K#Pdj_h^FH{p%`c|D1QxAs@b*?c||X2g6+MQ
z1jK%Z8Z9!zj%J|{>+_`EB2F-Q3x6(njge!}-gFuWiF`$W&4Pqmmv227C+F80M4Xg>
zGfqGXhzD&7%MXPJST>J{;DB6sj84UyA2J41Kg}YZ5|s&6_~<b#4Am|<)08E45jIP_
z<@|p|$5jiV9)GK};e+W=kZYACJd0B=6q5*2L@`Ni@0ZsNDag~bL0))C95)iV$_tA{
zg}uT@+v_*>@iPxBH@yJ^O8)9BUXuMi@+u3d#h~Q1eytAXJR%<m%N7ez-v5BK$61u_
z_Q}PHH-;SMB~sA=yyhj|-U1JBzRtjkt~Gw;GLGWKB7csQGr(l`E+1RJP5?ZX;_~#B
zloiVqm$-5kEGT(Q7T)_^{F9qiG*<od=!49u2P}#)Hb_^zNdFcXBn?t<1tU9x;eoJt
zYcWgts$(YIjvBL@M^|!l!qFEm<7C$}U@%OD;;)l)U}ygg)DVp>C|j<5K)hMJdv9;*
z;wdoj=6}rguDl?WhTi4qP;tRTXE+J_4&L<wb|Qm@hvd==8MT%BXeR<3@*-duhd7)v
zFQsCu6B$v|O_Nh7L<FGfw+>_6B4d*OBw!GluFhb^fXyek%jiW@a*c9Kw1V92B*HsQ
z9qvLkFX@$SE9;+cdev5De!T2ZTv2q=W=8Tl9)G%(G|6a9(@>Bzp;gH#4QXD~UD7J(
z{DZUk+ZK#5o5M^_f1s-y$%rl)5NL=-$vbG32R;~E<b9f=LtdX!v5Rd4Q`kyKy(AJr
zlXnqksn!IxT*O-#VU3I(%rReziT@74(*zJ7j&ae2vDetc$aHuO(RO^z{uE!Nu<{!g
zL4SHM9fHgcp^yGrlHJJ6PaxEuFJp{#CD8uCYOx(w5m5?B#_2ds>2fU>Sc;bpzWL_G
z%d_tue)A1En<KQrTmZ-fNXsA?{>C}S7?{3a3OA;KCK@7SauySG7yRv|Y7<c!5aFBK
z_X7gcU3xdJE-$bEBNw4Jr32!Jf&VV2m49&~%y_mrS12!pxI!+w@N*c0B37w^(xS1~
z81NKIGYisrcEOe9kSh!S?@&=Qz6j%s@dBJWO~xvd$Hu(7u}ECXUp$l;rSH@J0Qt<h
zL}5~ZB4|i4j>oVA0!67He;%_G!@*rx96^~C_(nOHDfnTZzsF&D(Tc=SA(0tK5`W-A
zC%6oNfSea0ur38lw19chIgqi;3qx1}dhcMVw7)mpe?S&Nl%<s0Db$iH%nEszNLCIo
zLD7YJ+!Bqm<rI@OuE@}#xvgdTSoFom>hr}nOoPDb0HN;*H&#fjABPBO5u6eMG~v7_
zPx*q9>>hphv`<b~47foSlrhY;@qc!KP1jz+rDH+tYuoeaJUSpRVh~R39h&1d85N8J
zYmmf*BXStI4&cWHOfx7Qs7RnDJ(Nn+Y}LRxKt$PK7VxRJa(O0Vf3y!n;p{<q2T8z5
zl^k4n{v5_wXJf0=($t#ZkwuF+a}b&3i9`fAiT5kuR(egr2=K{ca@|u19Dh!drL7c=
zoa)f`B4m0j8;K)Kb1gulu7V_v&~pw5*I^`DXpA4m*_63N7aw<|(Si39qJ$U+3{t3M
z6$yznSzc=<^tKBgJr_<rh-M<ul=H=$rK(ot^9KP&0M;#1B!Uw`ok>;%5mAQT<jMq<
zcqg`bS5hxbkjVx47vrz<)_<U5-qnNs`{eBCMC#!Fh&%^#1q-u8N*Q!X=H3-0C#!TG
zNBL0IP%?&W;HDq?iLdb&qAOtt56M#08Op@B>|`<`{|Buuz$J>NLEO<2nxWh-%cgO^
z++S@_WIFx^?Z&58%J8wGK5Hvnf(rf|aENC^=dwZ`haJ~spo|(PNq+#V<`sl`HOi$P
z``Xofda#P69BTI}i|lhL5}Ad!@Rmz-ZDnD5*k%ZMrl5yYOs;1%CBv7*r<ZSK7c?0y
zS42e%iFZ8`5kpq&o4SJs88;Yc0yYLR$K@XW@)u5kl+sH7zwLb_zwLi)WOAJy6HlH_
zIf|Dn%y&QI46m=|j9-uOailNsan^H-f^JZy5tFW5L;%W)i7kdZ3PxT(<wA!-#n8Wl
zf38bwi~oRZLX<Uz71}aO$BYv_6u(CEbP@JN^rDQg2=W+2>L}YDOf=X<+&2(4YphGb
zA~0W1rIR)kA^|ItSrk$Mr<1G{O94rf_!J<2kJvKTN-pCt@K@(ttzSPY(u4<vv+~|~
zqXipt!${E`v~er<M?_RGElsCQq3X*@xzdX=n=9<S32Grffl?WM2TW65<(42HvbKpf
zMHm?F@$Ir@7^H5ztpvo4P0*W0WFtfZsHTyE!+myel!+^81+{hnVn_}js-A*zw`6aB
zNMTWoDYBNlx(QTCwjtQ<@_RWkDi7&^Cn)Kx1C*$Vt?<V@CS=iK8{PT2M?2k$pnUcn
zL|Knnz0J>AwIoKK<!Vn21dj>S@M>7v?x0wy5~yC%X4qj6y~A=jqE7Tt+RCvFzsaKN
zKQ)W2vkj~OM<f1FBU`GB1C3Wjs=l#*)mHmL)~fi?QLj-*^*U1VPkHd~I%ubtT-!vb
z27YL=5WT6nFV+z*rus3_%T9XBr7L7x;BMU-=xXRx)zb0OTsd#ot#@$e8|}v3Fy{KE
ztia)QA(?K(@s}4n+}t2E#tNNPN3Uy-4H{yCx>%rl3}E;TyU%a(_3eGU(V4@4r+4w?
zoqTwc@9yrib6@N<gSTXjS_!V9<n8g}H!;<wj%sbLZJcUw;%>v`D-v9|@EhQ|8}Zy<
z6^^?BCS6_LuK|m0hC{c6L7Sm+Y0^9=)VDf_HK4tp1=3qLU|-8r)<AdN37Tf8ZXHB-
z1E9HY+B2&G3}0nZC-D2-f!^zX##9d{cEgD4;lt)?y&f*y3MOn#YOR6(tg_uC?-t>}
zYr%k9A|<;ZBpczr%`o34cyBd3QEBG3Ca?j%+ccM76>PUFT=y=7uK||Zl-Dw>bIGbS
z!)+Ta@)lmZh1YHfyta8y>}!V6Ho|A^*5?-BvR@fY*0#^m$lKe2!){@Juy+Xvx;q$b
zOFWQOituTT18R){Y7cL12WzbZ3AF?W-4w?9rNCF+(4bDRptX@G)v3G*47Ib<-b}dZ
z?ZZqvGiD1X{o3H9E!>7Z@Mz;MTDgiAFj1G~Z)x?{fQ5cRa8SFgZ*Av0+3r>_&(2n9
zv*DawVVre&;Eq=#ZNiOzJq10@JFYj_&GbLd9eERT2XyVN)9oF3)-BgB{f@jzRb@@T
zSxTn<{_e<|*df6kFb;W@8(0Sy)*)|uUB%5C*rYr1s#2BLE3g!=sL%hQlc@=&IDCHS
zsM>_3$P0c=n2LPR8{lc}g#8Zh#;Yv$aQj?<D4y_5f}fyOn48Cc|0O%T;T<SIK5$ow
z`z2BO_G0zcTX^I#=54Y?^ftJp?*o>Co*bz}&i64(Im&skv(qnn&|n%`OSf?W+xC{e
zO}wRV6NL?XD4v!$BeO~?%#nJ!%%HwJ-o$GJH*`L`qo&9$z^2q=$+_awW!|?p8ny~L
zYj+3k2EtS{zXp_lDX-iPRgxF)fG*MMY;QDdyo7HHjj}PN8$>Fv_X&jhu5L7RnNJ^=
z1&i7n9qL545<}*|lL8D9#nDhe5q^5k1}HKsZ974HIZS-DTS|rHq7kk{QO=4~X=lmd
z0>jLgLm@@7w|}JG1$%t>>N&?1oW$2OIi1rm929^4Eaa_!`UZ#|96dW$--|!tgWGwo
zXCq3CcJI^4RX69M+^bWs%*8SjlW;*b##?#K)!E8y_0JWKWurr%UJfBb`4d9bhA`2?
zytm;J*v{2cAZYm4sh`yF$sx%d{ChK4P(7_zNn7yX7CiXbz=Q6kO!Ky?dg|Rzn{C#-
zu#Ta?W705x%FAL$pW_^=TWF@j)cH@|M|%}6o(8({DQL%5$>E3`8B{jg*KXtBeU?ng
z+ZV97dpP8Hpd1z;-6uB~$WL^j0-wSi6nl%ihrsU_-c>L|xv}OcwTNpt93Gf(7V+wd
zX}Gx36OL4v;J#w6=R1w8*eM%9)ERDXf|NIS54g*Jkr@I5!56j=6%f7*#+}nAN3RMg
znd<OW6+*$%&KId%P*h~rfE+0#W&|b>TiE48l51)lCuX1ee7`kSygp8`@1#gp>o6@)
z%V3c$$o^>Zw|sX9`s41D!-6{c$JW7!*f|ohi1?0BK`$hI84F2(N5Q*kwgi)k48Wm-
z6%JB=jtTWWM4O`5mnHla7n%DbqCg7@svx7_9FmK2XqRq+&bzA0R?Me@el+VtQwevV
zq@M1I{_WaOr$%C`3ceAzuV%8FO5DXf9NCc@jXhPFyqOrX-wTB76ClWL7eHnai1x8h
z@wAXwd^*KL#dCK+vFhW%2&+ioEm-rrg^&q<D><&~(1erKk~YLOWDBE(PqSeXPiyd5
z^>OA|ipP-*FP?@rYU|ezvDow|MalmHt}bf^=p@ON*>{l9dfB|$n7W*59TMFFTc@72
zf$60e%}~V~fL6Z5D-tJP`xS`}JQV4E-H{9B(|qkwUb4gWN6y~1S0uK(K1n@RVzyU*
zBwBxJ7FlQ8_KL(cO@wNo`xS}p(1NP{HLpgjklXcY#7YBQ4V<ca7YOw);c7&?`(Ep6
zM1$WNUVL37?iYMDVkKs{xgltb5jv}mUUz#n;`VC9HrA+>;BK!*Y;!eYI|oggVf<ee
ze18+KMBGFGYlkC>$c@i)IpZcW?o%Oux$9=c*Yeb#<Mzl6otMvp$bQp)-nJK6YG1Y&
zS#B?~R8KXBRB7h6CUAR^WqY)CSCsZ$2;WUFvMigO8nm@d#J1?_*68YXI{WpYsLPUA
z<KLPgmW{E&78SikMQ;u&x&<Q0ZtmNleeM$V+(H$L$3Y)HpAy}?MKy0x&0AD|vlB$S
z-f6E-09yWiftBx)z1^|MTMY6RgDeE0InpSe8i~ZGRrH}1{{$H0uMk_@gehJFOI(Bh
zbz*;S;qYr$Y;dK^a&EcQP2-|)voXJ2vA%U_=#JN?ZNlwd1wGB%^EcS~_V4T-O~Hfm
z1)AoirR#67Z!gd+QV3#EB~lB2U(^+vLWCUuAZx`Tm$GKJe|M%nkAk$SMCY|C+A|sM
z?*V6QhOVpnGKi3-VzF%9>RVT<@&+1l`Si>~bV~0VYX-lBCM_h@S{j#=vsmm+p7K3V
z`}Tp#O&x|}Kf9^je8clRs%}Xq#Xr<&Y)a3;Agf(zUPf+9^KR6}wNa&iT1?_o^K$aH
zv!Ij{tz8ip>*dvkEEGDF@nQ9Qwz!}LdAy6G&|~cQiBXon3oZj80eqJomU_&myI8Eu
zNBw~Y63<U}|GBg48;yK`|LH&8JwIptf9#IF`A2_u@aGTz^Wo2ZFn{+3<S_TA-zoFV
zz>L;BO_Y>@0p~q^&{Col&U*uL-aGI0>ssp@ym@lve=qZ^lYAa1e}!!*7yMD0oV=iV
zQ6=rU_*ZS9r2NY$@-ztPi3g72G5@pD1it*<WAoFww=c`!PovDsa9S#+y%8l9dcpu!
z=yNg9^~&-=(;WL3O;w5lIe4M^mTQRl-qZ&3n<fnw8uSS-KIJoBd2Me>n^#L8+Uyly
z)byEeOA}J9V*es!fBcAVe4eKGPdM%KB~xRmrUH{z%}kmK+-ud$y`}>9TQzgPslbC)
z%{*u-@Yhz&{M9UAv!b=0@<fl1de))^?7IxX;h$4)=1iNo_Fq)Iq{pj{MSGFI(0sYA
zsAaibS!!?US<MNqnLg!NO|cTFIpraOSN<<Z)Sb?Btg-U%e{}(Ixp*0A(I&_=4sxus
zhBE_Y_lnL~q8S6}e0EdRK2qQ9ivv;s#Kl}SsAiW%k*wTsOjAi*-TBLwM>#tm)lkp&
zm}b*akG#_Mn5I!%Ei5<wm}Y}DD4)-)8iRIA>E?5of{=2t3O$xQY0H|ejg_i%d&x{k
zHl#%crdw)ff9<r2JEdn$qqLp#`m{;gbjdbNvQ3k0(<Iw8iSc%uCfTM*YD+a0*yJ=x
zi}Z*iEn-cFl$Hi<(jSd!4=vozgYDZ3nCj9P9nu%;$3vTy?`U_Oh1N#5ZQG5@V%%W8
z;?7#MUjXQpwiicy;TK2Tz&4d|6m=%b4NO_vL^;)2E|c?WCZJAmJ0uir3qYeleyKz0
z=v@_(KOl`_q<gCG(*+l&N6UjpEKTBQcEBN%%^)2I9h*{`$KFMg@gNg_6Hg#YgjtHm
zloTJq=7rQ_2(i5s*F&VhMCkoe-1oqN^iXm1Xbj{%8ZQsdBNzgnXpxX+bwFj=c!NcC
zJSMmrNat;Gnkl;OHrH7+waU@js%i5KDDTL6xrH2P9O8e&;6R%-<4TZX_J+38UvnBR
zaSW0JI02$M2NCnJap0YQ34_iLacW>+JQE>KG(Hyx4aD)05z$b90_j|I)mYoYyY6T8
zfVC*J$jcE?Oe$t9KbpaEdVo*zWQXKa&PB!dF|fRb@z3bY^H*XF+6-6^;N9L7grZlo
zAU|wSB6}>vMpJY=AXpG;WzMm7z6&vnhL{zs8mYk-Bg~joItyig#pyvI95C7oj;Vy6
zISBk>mCxB>HY4};M_~2u4+>&An0lTu!sc-n%2Q0nnNN|#LMr)5mXt{EMyI16IrE;&
z)1+7g@$Z;GP*79r5f{z_eoh9{J!<Co=|QU*u?a1Wh8Zi1E{N-J5zH_R0AkCPW(t9N
z5OO;?%FUZ%i7BRkOq;{WAm^J1+4PV5MMEwV&Iwa=0WB3ZuG&0qtv<NDg3)B|8o=P$
zn$M3<Vyl8&n@g?TacInqD<aATTO`L@SM`Ofe-tccgeAVlmi1uxphPhf-`?ilhF#6h
zd*nKprgP}vZx5F5;pd!UjFtaBXt@$_?~54gnRZpSVgB!bJIptOMS*npE&KMpm<RWq
zwY|d^Pf8v8@-m`c3(#%jg@v-5TY{(73+5bXUB~LxXv4OPC7x!e$z2V{eob?i;Y@Ba
z92a_F{S<?&-#VL6qFn#!+NQn?5|*Bb71R@fewTT!2gCipo3>7^M#~~AjZ*PS$G51h
zIh%$|V+7tXTQF5UmEhtLA|5g(;7(F1&N{lrrT#1icw5P}=2Hv2b209oI8rL0_J8~X
l{Qv(0ld2<84(e_lSBmzE%6J<903_y<2_!WJ%_9H+002B_JU0LU

delta 6800
zcmV;B8gJ$2NW@66FbED=U>#S_;7N>C8vp=k;gdcHFn_MI56|Y|8+&)>PMpco6fCi!
zNR=S%XgBF+zvtjV0wlnPY$r-0-aA{1#N*)Lym0UX^7|kEKuGV;%%9VR*Lz5M^E6$u
zhvTt$Gg^3&H=_$0r6cdRETJPmUdV53JlWg-`*836aBqJ+rOPm0VYxH9ScYCoNB?GV
z^rzl{cYol=Q3~IFrU?t;2>aO|?cx8)?+coGQ!hmde#aN^%FEJuoM6#sfuF=IzD&uG
zuxz=Elk}ep^$rOVjqq+3NCLxJr*W92&>2Z3LF6({$cxj{Z;yId{DbIu=_MZY4uola
zhq3Raf>8MiUZ$%h#fDj$1kp_OiNpudQyR_EIe&cJFJ4dSrI&^2&t91Edan}7;w<s$
z_eq>Bcl#sN%WJ)@3L|7&%uj-)q^b8jPD#e-bU-e$lth$H>6D}~S$d2SFIf!J^ev2=
zrR3MAvXkNIJkG-D5ULLUMTb9l$<&Xb+OH!*exW3YSW3Mqwo1}DCBI(B$y>Jcd^%KQ
z{(nlY=Yc;b0V7kI1Xs}IWfCuV@u!C*uh3I;e-M9sP_t8QvK@cRjO@&=S0H}S;qJ~$
zI^z-%6CtmJDIrmF!^jYXjG|Pa#NhZ8vG6*iKK`{cD5Pe0M}6Pv_g^=U-57Gs$lTJ_
zYRJE+{zwFba?yVp&&Xlqg{w618O$Y3D1Rwb>lE}Rh-iq@%V?S{D?`zg=E_R~?;@nS
z&VWS-LQZk5ioVIqy~<nJ-Qh2H`mc*(YG$4T`B+*gZsoIPQSKG?1WKp^$5Z^qZ5NY6
z6qanLehyX9Vayoyt9^(jbaIO?I?Y*d6i1iA?0C9wp}6!_Z%+H9w}-O~A0iOCIDa`3
z7S!H$O-a2UM=@ugstNiIN+O$IN-a5_?k2^bJGm5%UMy+CmB9;-p~h^UvT-i@Y-d1p
z#mPT_<_w6|$|?1;BuH0z69!e-j5a9O;JG^5In>0OI-V%^cDkfK%I3aqU>u_x?2Ky$
zw=-y}J)HW(ok11_|H-JZ2fOVU(0_N0LaGfXe&5g=vo-0rPm*|=`MF3*dQ<N$H3-qw
zV(?%ODc>3FO#L1H2N44}6$6lMIIHujPjp&DE3F1D`g2XM8hnXCg%(b76+48W$fCg$
zw+2s|HQ3R7P2pxGc6Y0q_#BmZQme%Etf}KkS&1i`s>G8PN<8VR#KvehRDX#lEtR;;
zAYebENp6_AmVJ8#O%}W<6=|M!gI=xnPPJoYA=go?G4mj%KBZm)%c~kSGkD@6=Z#5E
zrAEociI<<mw=I)8wGf0IX|~-m-EMDIu5QZ2@PvOZGtDes<(*DVh2v#qTgPKAleLvi
zjHs$*Rmv;sW%9Db=)9})_<z<I9t+nVo?6sb2UsafY+vQ*<lt~@az&G`|6n|?#F(oq
z)7F~2Oya8m7RhWZ*`+j#DTYF;-ZIcuFO$8=J&{WRji6Tnz1E6GauMWob`{OlB$F8V
zjNU7&Dh`WPtX>h8$uyd>7g50${{GWP6G{#}|E)Kp<#0lm25nXTx_=lMOc4;42KpLS
z4%t{pb8A76*~C}eCf7kaFY-!PVit+90Of7Lsy0$nV|GLCKIxWs<X4h!PB|*H|8=R6
zVwP|qAIy(=bCz!w%~H?r=1*PFo7_gd(`k+`3~#9sP*KYL;od!~Qsz}|U>(em*wXg8
zikmm^Hi)>1{+>oO34i>bjxA+es*o4R1^*|x%(0h)l0hX^qUSxVB=UM`kcML7pHSd5
zjEGKOi)1ai3Ow?Z&OCob4rf{<S88IJU4#Lf(<IkgM?p=&pLxmKX?*QgbU9UwCpmp@
z>0JaNh#F=P!DnHD^%bx8dRM9N_4W0L=aEJcO~-vgG0<R88h@%(vuz{tl3vmT+j}Jm
zi2V#TT4aVD%|ap8=SjUqoM7@6{#@`HBgde<=`;`$`I7!83leT!{^h|qIls;z;-mze
zaRO36JZMu`eker1vUx-V2js$IbSmEbm@%OGyDZ`<QJGMMj~>IqQ0<a4O<7_WVY9?r
z&i_|*T(uDDv42V%K9~*#xmH=ivpDraF^M2W6qD5UetF%Hf;>$d<b{{SaU+qdys%hQ
z*eiUny?$*UKl8wH(;G0L<gd=+CE4F2FSC$Z3`$<>Kh?pUN8~+W*<u08`x{7moJHww
zpIoeXW5{7%A{8CLYhL2bE${&6>kO>uTH{wP<0xJ%;(tgv159@B^0D>n1i)h{E>B-d
zS+PuUi7RKpf|AE%;l10%Ke<^&W7R*8-pibNz@ivqgLK7<^lyPd(jWy_FtQ^U9texK
z7PFMEI%d-Cs4=^FbR{<@9DVUJPIf&72E$Y+{yI4acJ|*u4bkX=vgO(b#GA#t_x7eP
zo&p1J&VOw0$_qki=v|Hu6&Fl&hLf=G;9W0ZCo*VwNG`pQQCqnWb|SzbF9L>fh{GxK
zQYyAOkr74RG&zMrL;$LO>oCSGGA8*?0tTV!>I_y4*nEP!j9xS)*C@wCE6CkWBD~Yo
z;VxA3l3v-ivi|v|S8ZkH$IA}I6-6g)W+boUp?_ORlZ@6h4Fx$9T9usAkmg0*C9Q(a
zKRBDeZNV6`In3nrN4mO^jOda9fre<5yoFYI;DfP6-lr)#<kcw^yVyoBg{_3tOCk|8
zc^7e(YE59vMZAR(*2vhw9P_1^`0o%rO#t!X7#Cd_dyPGeOo!JHZO7N_Pw_<xE5Bh8
zq<;s~A;|m?`slAE*^SKn2tw`oGR9a}0_`8H7TaMJ5v7o1oQ~6!F4uB_rFiM!n{S@K
zIQ#bDH{X!6IYJxE1%OO|v<!mbZ=7?Cf$6)YaAO*1q9H;iXE8x{!QWo0HW8%(5x%*7
zKOivOrFY}%@&XGmauIq{Iv{=+_-}Js8GkpzjAxs3h4Mm(E99~ZKZh|WVwD;wEgE};
z0Z*Ycvml*k7hG8mxw7#84iz=yi!i<zFTknOWUMlIY|OhGi^Qe;#Y2fv`Y!Dckk6b;
z6ea~If`%01cnmurP?QSt=P^q$9NdM)5tLbhZ<K?Xf*<zzdmNS*tw;<N5}AP{0e>!Z
zg3AC1$axV0>r${p3z!$30~yP_FoY$b_ZF5)`+LLv2V@aMSxUK`LM^$%tdMt!WaR)8
z6kVvtEzvkzPBB^IiVPi^+ghfNMPGcZK3{ypGzgpy5c-aAV}-=}afpx>!6^|y6V7|`
z9bZtA-J@^6>yy(J18$H7Wejs|ynkI_)3ujy=~xi^+V(s;j}FN57=#mhhvv9VMg`-*
z8YD5{h#W?)1Nd<P(+o-nDiWwk52X?{TQx8a5K%Um1$^qQT%L*8AML|XID1guK@xCM
zB?lLtKZh~a+1To|G_@vpWYJ>I97JY$A`t;j;@t|km0nXY0(|nAT=x_Lhkuh~X)8q|
zr#ke#2$>$sM&bz5Tno^st00LZ^qd32br^{j8smp?Hf1i+#m60Kbm0AjC?UoHgA^)R
zMM5G?me-mIz3qZW&xBJCqM1lE<$N(`sj5}^{6T;bfOU%$iQq&~XOa~`M3kX7xiUc|
z-idAAmDCFpWO70N#rW&IHGk-sclBWZJ~=x&kvh0PBG15F!NM$&QU+a;xpzg$$ts=4
zQ9e{Pl#C%8xao&};%oec=t>yEL$VZghBEOjJDH5g|3Rw@aEYR65O=hMW+=DIvT58e
z_g5PfnU23fyYZ=&GJLG4&)N!?pn|^y9OBu~xvY@KVaGKYD5J(n5`Vy|c?F?fjdH2S
zzIHXA9;{+1huXc&BKus5L}uYFyyX&ITUpp1wi!a6Dd^!8lj|8x$?yg7>E#>Q1x-fF
z6;aVb;$4qK#E=#HrtaWD#tjCVfQ^C7ak+=T{Dl)BrL@xj?|UD}@B1GbnOtYb#FM8}
zj^gDC^W9H5!|SU#<6mQZ9O(;uob}wIpc_<a#H1@15rDE{VvFI9f{|C>aiK$@V(8z&
zKi8$T#eYCHA<7!V3T>ICW5$UdieIC7x(NFsdQnDL1bGZ1b(C!nCK~J_?i+}jHP)qI
z5ty&<q?0xjA^|FsSrk$M$CIoSO95Gv_!J<2O>CKKC6{p+_^WfS)~}uxX~KiTS$S{0
z(SnV+VWj8|+PIbbBO)r8mZsCDQ1xY{T<Jxb%@y|E1htT#K&cGB1Ewjja!Zg8S=&UL
zA`A@o_;%Sc3{p4VRs!P2Cg@EgvJoNyRMSYo;XXMy%EXnlf?7KOF(ii%RZqdVTe3HQ
zq_8N)6j@7N-2|#6+Ysz_`MsPNm4|e|6O?q;0ZP=wR`_Ec6S8Qrjqd#1qn&O=P(J$(
zqO8ZP-sI=3S`s7Aa<!)hg2x1Ecr`3-cTlWU2~;m>Gwd*k-eS2NQ78H+ZROa8-(*qs
zpPEJ1*#=gCqY;0sku6omfyS#MRbShGYO8%AYgPQ{sMjc@dL60wr#$#~9kkO+u5BVz
z13xxdh~CuP7wZTYQ~j9eWhcGm(iO5TaJOy^bTxFUYUy}suAH~));qZKjdtU17;}A7
zR^afukW4q?_{)nOZf+17V};JDqt~^^1`RPmT`bT&1~B}F-RC#?`u0BF=*;1N)4TZc
zPCmTJcX#*Mxi5B_!CSIMtpwLl^7i=go0w`-N3}NBHcmA-akt^}6$vg}_ziH~jd<>_
z3dh|5lddlB*MLPg!=YQkpv_RZG-;j_>RTPe8qnTP0_m+Au&-q*YoNRC1Whwkw+^Da
z0npsn?U~g8hOaWI6Zrk^K<{;bW2%P}yJ5uj@L_YcUJn;;1rxR=wbnp?R@rWncZ+b~
zwP3(4k&;~yl8tcRW|(giytkU2s5En16W9RXZJNuk3bxx7u6q~4*8t0H%4-?cxnxzE
z;kJzyc?+-I!fQ7KUfaAU_BF$38{xBd>vIcm*{=*HYujgO<n8UiVYe`U*t-M--5m_J
zB_7BsMfkMF0ky^ewTHL1gSFOygjxcGZVF@lQsAp@Xiz6u(Ar3p>QvqYhT7R_ZzkOI
z_F<--8MB3xer<5l7H-2Hc(idBtz1P5n5fJ0x3v0ez(T(uIH=v$x3=@0Y<DY|XJ@Ol
z*>KLTFwVL>aL22WHsQv9o`Rm{9oHM|X8NDzj=YJv1G@Is>GqC1>z3=6en;M<s<Niv
zEG1JvzdQ0Kc1Umsj6+`K2G+rab;#RZS8?+OHtCMMs#N9m3M|D->hpi-WNLyb4xb%5
zsy1OM@`7IzrXnBo26$RKVV~jMc$LK-Zl4Pf#S^|s@H4aubMyFrzhs9uyaNTud+sW6
zza&cET&&)B3y(a;yiK-<-UOHQUBFV%lOvVL`5|U0M>!96cKSsR8caiL={7E4+uqW*
ziMRA^qOf5P#nTdJWL9Z~IZ{uT8Pu1@n|O`jhR$bq)D*b|*pzxKIahqT%=`96!&X6O
z?e4(cK$wc=*MKsA<(1o^O7h|z&?Q=(&AZXi{=u10^f4$~)SjoWlc<UZ&$s=Ht@tR8
zhGHZ5=VxqyG2Ti`=87+eiLdsmsE`{P;W_{TP(`AuGo*>{5is-RP{5mHZ~sWW3-<W%
z<ukskdlFyM<aAEMa8UgDivU7Z-vH5rqo>E}d+{fHaGNfF_f}K~M!R=O<eG=`Q0|nd
zSLRZMiAlJi8sn|J<~TDev(-NqH<pbKeR??r|L`XS3JqbRhk0+qC9s|2#sq$Wf1UbC
z4WAs6+`+mwL$%b?I!4_>x3<u&PX^s`2a?U3TI#9yXl*vR^1}KKHXc%iQC=4NseG5Y
zx`AOTOr1-A=6$qR;o@na8=r!9Y?U02$dN&1vwiJ04&G<Ul)QNkq4mQdM`PrhveJEW
zgMs`+2P)73+(EH7xOW5me(qfbGn5-^mPmsF4~N486HFjpJuwXzS9-$ti6^+Llk53T
zBP({wMi6y|+nXTe4c-Ip@_li!1I?Ee5ET%<2*G`St0zY<3n`iE;6W9YL168RL>ee6
zGHXDN6b>!|6NoMB@*&9;4UQAn{(ZjNl`38zr`UH=qzZMA45($W$QEROH2GVen}`0m
zJLRB^j{dQAFe38yA{G(f5vb*bq%UJ3xxHTSZkjE@q#^@w=wO9|lq2$d53zpe^<@cv
z#YN_S{)nh8W3^E%qw5?HiE?O{Zi3Fcs>)Wxo!WSB)`zAN?m$UB-4*>`YXeOhiK#01
zMxbsQ$!;oe7t?TL-!^aTsmkNc1n_(=_??dc-??4%jzu8ahd#yALSpgh6b=>7-Jx`<
zj{~5o0)aPR%<mSzBaGy@u0s>cQ%l+qmypeWHj6*ahDkiFkw4YPnPw>-M<%j(8rrC>
zUq8em<6H`ozXz@^YX;~f$(2@hkkNY8yxD-JoN679+5*_5p0!cIr5DXOu^S);zQp_K
zCSUvgbPg~I>3-LY3u4iH=S*I*!`(B^-nRGCwY$4UJyv42_tRN_Y8F{%+xC9CHBE$n
zYM}f5bnT#8s{J+ZrK^zJ^<KJ416>WAs(Kgj;4k4`I=lN`>s~s8-x^qVT^QsSd@o%k
zX1KW_Xp9j$tBziGdoSJgUb;5csFmPu@1<*VFI_taO`0*(Uln$G6YrzjMD$>X^I^!1
zPjfTgCNl10!D#Dd#MkoFpW^Di4V{;NPXmX2-G1J-w+L!qwzmjwZxK{aQx2&Novnk+
z+GctSk!=l;t!6V@Ftib$^!Y+z%aT}QrJ8YajTU|jZQVj!HwW6<0@q>p7;P{ccL`l>
zp^C-hpbwvq2~pibQ@7C6Ei~1Qg<S8<&PRZreqNB%yJT;7Na+?zx`mPoL1+$tHHxQ3
zBJpVzerUx%0#x)XgorjlL)U<W*1$NO5YAgT!q^q!S?RKzA}n>&xGLOi=w?^QW?eS1
z;}t}ka6?W(PxCJ84R$d7JG+Zc@SuDNoq6%!`un8YOX!Lmf>>3F+`<=i4V@4n$3JRV
zamb~#+3nvyr_ZAxtt!!Zt%~-4Oosb=z!{sN>#DvCBBZHUEn9bN*43)Kfkt>WJ@XJ`
z(EG-^3s3?D7LsZ$jqAx-EVh_V`Bs*FJ47X?4nwgm+0<^nZ*?A3cNUZ4A3HPl7Uy7)
z)#f5EBX<{hH){XUs8TH^VTO4*`P*4g%8Aylh>P{|YF`Zs9m@Ey`aN4*T+o6%-o;Vq
zF?RgKD9hgkmw}J~zF7)OJ?7J0ELP^D{y+nX=cl{>+}ZVwM&85!^dIk@pR@iyc1Pd*
zqrW@&^ZWmK|K~oKzk366nETUjm3d}hMr)oXO3M4YlYbr-1pgottdp4@D1Ws@T`u^O
zG&y-e^`c7JGx0A&KuP(RQRKTIq$eIYipTuVN)!0<2anB9=ia_7gFlTjFT!c5nD$1L
zRGZ+&{<uCD16{8yA2iLef6-K>D3I?#SKo3CG2ffoV1Co2!9s&R;l-zX#w)MwO=<IL
z=|h{n;)|L-^KEHDs#WY?gnx`5@tx1p6#p5NeZFLBEY(zC(yEzBQ-OP}nz`3h;C`!S
z?l%>9(5jgSO$Gkis+qr<1#DKd)>EG7@lnrOv_S8ckre!M>dl;K6W0ceikI|w)v;(V
z@)w#fw-vQ4w<}BSO+9iq!8OyzJaQ*i0ySWL5xlzo_4u4D#~LgDUVj%5my4I77Hxt|
z1CPJX8qN%q-77j{iDnF>^AS8z`^fe0yyq<_oUfRx2G#7cD3X;MPTMJot2;*5@<d)|
z#Jzg9r|p^$`+249X*;8~T3BxUX}bn%P(Ef?H3sdL(#^-|1R>>O6?!ar(v~$_8!J`k
z_L7;7Y)Fd?Ot;j|+J9*kcS_HiMrk|e^=Xr~>5^@lWSb`0rb)JG665VQO|ngs)Rt;0
zu*qqX7U>a3TEv<TDJ>1!q(2(d9$L7a2ivz7Fm=0Xz?r^SKOWkwd`G)m3A8r4ZQE{K
z7UKr%6?fL6{Q^L*v_1d-g`fYwfo&?`DC$g<8<?`TiE^s5CN1aHOhBFBc1S4L7Jx>9
z{A_;d3||$KKOl`_q<g9#(ghc%N6UjpEKTBQcEB-{>mVI}otsjc$KFQqbrdj`QFh)t
z;J=9Y`DpANAks7Sf=D9FQaq=m_y{&Hq#i?v?WH*7p8^x1_e*hXpCjp^;^@&B$a^$i
z9-K!o1U%9rA<gQ9O7leo)$y3%Y9O7r$!VtOy4&1J(9|kNYpbTs%L{l%);kL1K;sbq
z8wLm3tQj|dI~21wv>pGN({PDnkQ~4X5Y;(|n2(JE?@SnUeh^dx`{JPpaisB?IB6ix
zkBo?h0u)H+qN~Q*7T$F~tOu+`p+#Pfh+<MPWBJ((meT`#l1DovpK>lLzK?<BHH?2s
zXP&<jW6);6dIInErXUo(ng#h`gA&<eAvT(#;|alkf>0}Sj<o|`h*>nmtYFnh4Zav*
z#-!3&C@YQ+3gLj!UT{n$^vprv7pr{E4zn4#w?6`_e}7OA%fZz1j1e}EvrrymG7f!;
zBo<Q1kFumhdN(>9{luB~Odco2B8Y#-1cHK^TF<y}9`J)QnC?+C$Bz$M&4^8CX*A4O
zS#&{vT!)KbhG_s0Tdp)y2-Jg++sRRG-V{qrF=g5uP6j#OM98Lp+%Fn(nQ%^+q6=uL
zsBzWiaclM7?G=nBbJqX{&(?f?eiB<1<l0<n?T$lZZd?&jF4!VD-nyzUT>Yb9F(WMT
zHMXn=!v`gbnfUf5_crWmcHSe`!8Dyi2Y-8iuzUwU=M-bC{P#i2m4JI+#8}U?tFjIA
zKkqQ#3>F2_-M8%9_hKI0bJq3_pFb&e?8`f4dM!Y=jrY#Ua&8GW?&fOPkneJdodw>|
z3^lo{;n;86?J}InO@`w_FRY(pko8+<6H1ipKV93@mqEhP6S0DNBGB(L&-Gxq|98_x
z)~VHKS!AVADqiXM7PU2J(~xP5z<Ud(s;3fMJVL}%#su6+O2t`6*SOT5#Q<+Bxz>DY
yfp;#(-4jPj1=RkJe}Mo0f0NB4Q4U#P9aqobNsLt+003y=lPn}P2C5?f0000%|1gFC

diff --git a/Solutions/OSSEC/Package/mainTemplate.json b/Solutions/OSSEC/Package/mainTemplate.json
index ecbf9798fcd..006e6624e61 100644
--- a/Solutions/OSSEC/Package/mainTemplate.json
+++ b/Solutions/OSSEC/Package/mainTemplate.json
@@ -479,6 +479,15 @@
                           "write": true,
                           "delete": true
                         }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
                       }
                     ],
                     "customs": [
@@ -506,7 +515,7 @@
                               {
                                 "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
                                 "description": "[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog."
-                               
+                                
                               },
                               {
                                 "title": "Step C. Validate connection",
@@ -660,6 +669,15 @@
                   "write": true,
                   "delete": true
                 }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
               }
             ],
             "customs": [
@@ -682,7 +700,7 @@
                       {
                         "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
                         "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-                        
+                       
                       },
                       {
                         "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",

From 5a71e5e850db4ebc05d881c70515934d122335d9 Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Tue, 29 Aug 2023 15:21:27 +0530
Subject: [PATCH 5/5] Updated short link for parser

---
 .../Data Connectors/Connector_CEF_OSSEC.json  |   2 +-
 .../Data Connectors/template_OSSECAMA.json    |   2 +-
 .../Data/Solution_OssectemplateSpec.json      |   2 +-
 Solutions/OSSEC/Package/3.0.0.zip             | Bin 9319 -> 9285 bytes
 Solutions/OSSEC/Package/mainTemplate.json     |  26 ++++-----
 Solutions/OSSEC/Parsers/OSSECEvent.txt        |  50 ------------------
 6 files changed, 16 insertions(+), 66 deletions(-)
 delete mode 100644 Solutions/OSSEC/Parsers/OSSECEvent.txt

diff --git a/Solutions/OSSEC/Data Connectors/Connector_CEF_OSSEC.json b/Solutions/OSSEC/Data Connectors/Connector_CEF_OSSEC.json
index 7c10faa9b27..a1de722fd10 100644
--- a/Solutions/OSSEC/Data Connectors/Connector_CEF_OSSEC.json	
+++ b/Solutions/OSSEC/Data Connectors/Connector_CEF_OSSEC.json	
@@ -62,7 +62,7 @@
     "instructionSteps": [
         {
             "title": "", 
-            "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OSSEC/Parsers/OSSECEvent.txt), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
+            "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
             "instructions": [ 
             ]    
         },
diff --git a/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json b/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json
index 9512edfb507..23b971ade29 100644
--- a/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json	
+++ b/Solutions/OSSEC/Data Connectors/template_OSSECAMA.json	
@@ -70,7 +70,7 @@
     "instructionSteps": [
         {
             "title": "", 
-            "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OSSEC/Parsers/OSSECEvent.txt), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
+            "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
             "instructions": [
 			       {
                     "parameters": {
diff --git a/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json b/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json
index cc7b3fba9c8..23e3c5ba001 100644
--- a/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json
+++ b/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json
@@ -8,7 +8,7 @@
 	 "Data Connectors/template_OSSECAMA.json"
   ],
   "Parsers": [
-    "Parsers/OSSECEvent.txt"
+    "Parsers/OSSECEvent.yaml"
   ],
 
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\OSSEC",
diff --git a/Solutions/OSSEC/Package/3.0.0.zip b/Solutions/OSSEC/Package/3.0.0.zip
index 785fe377f4e263a288c341bbe0b973eb3ff5a8f2..1b36b2301e15830426a85dfe7d1ccfdfabc7b462 100644
GIT binary patch
delta 7105
zcmV;y8$RUcNX1C7FbEFyc^y{^gaMFN8vp>Y<dZ%K9Dg>p|9@xpJ7Cn#+Un?GE6MI`
zZsJ|nX}6x{;TyZ{+=(+OO~Dd36sZ!V9c`2S?DrhJ2$BFFvYn`jc<*#A5|4v}^TNRo
z$nSst6Cu5?nLnosulJDj=4rZQ565HiX0-4kZ$=k1N=M#*vV@NOcp<;B@nmoR@58<O
z!@d3Slz%S6c!lN8=wcaqDINWr#nD&20q?+%qZGdVOcNHw5%#k`+Qa{o-xoCXre2B^
z{Ejc+m6xUSIKiUN0zZjae3_CVVcBvSC+R;I>Kzg!8sXh6kOYRcPUA33p)-<7g2-i@
zkQb+?-yQX^_y^JR(n~z(9SAe}4rAX-1)=g4ynjqrONtG%Gzp@a>Jy0%qNg;PrE~bY
zpTC~cOD_x4pS>{S^<E{E#aZIhe<g9Y-0hE4FR#tEDvXeAF+T~GlBVACI3*dQ(*e22
zQW8-*rBjl|Wa%+Ryks#<)3-2gmXcqe%1(x-^EeBqL#R6ZmJWaLlBpj<wO>bs{6a|(
zv450$Q*4!_b4q@_j+3`+>G^c1$o!RD&jWu>0!F4Z39g{a%Oqa#;!h8WuFz9-e-M9s
zP_t8QvK@cRjO@&=S0H}S;qJ~$I^z-%6CtmJDIrmF!^jYXjG|Pa#NhZ8vG6*iKK`{c
z$fag?M}6Pv_g^=Uy)fjOk-4R<)sTNt{eO`N2<4*xG@g;e$O~6#;4_#@noyFf)+y*s
z5YZ5)m(es^R)%6I&6Sq~-bF}FodJswgq-496@8=2z0$4h?(mm8{nvRhH8anFd@L;#
zxANJrDED%E0wq*|<0*dQwu{Lj3QIOrKZmO5FlLPU)jmWMCb{_+ljbZqilfV5c7HtG
zw@_UAYBpzlGTXyhh7S=4U7Q>V3u<q>rli@AqnNW#)dYP9C6Uc9rIs8|ca!|j9W6zp
z7fYIOW$?mds4<(TY^+6}?F@*iIQj!<&VU%LoKinaf^?;uC{TsX7=v;Ro~xssLrtuy
z<B4)_r%URiZ0?%|#xc6V&bVf9JAZ?w+QX?o+!<t1@LNWOJ=kr>fWB)KQf)Z#`vtuz
zwkG}dNfJ*pUyGEaH}&4q0wJba3?A$u<vW9&slUVjAYuTgVgRxYXLVlniAjrSrPaVi
zf3E3OgD){C*TRWbu|o)oEE+s<Yw)C5gB{J+6mC{xcekpEKcW&(YL&R2HGg$HDJ$`0
zQ<ZqqLWw6`mAEk44OQYvOC>Hd2-wePq75_GvhS{-$(%Q(BF)oYpx3CqQ|(w;$aNHJ
z%shyxPpOx{@~TG73OsR<^QK5orAEociI<<mw=I)8wGf0I8MfUr-EMDIu3nUh;R*j-
zW?Hd$m3JmJ6^@scZ5@xfOn=r^HZh{AmQ^XQs8^AfB}VJ6%HvyOcr09dcxq8!9bly_
zv3-@JlY_&t$rX)W|G{`(i7{7KrmZ!3nZ#ECERxw+vP)?eQw)Vxy=7pmUM72!dm@(t
z8bPlDdTkVq<RZxF>?)dTNG2)dGkUMAsyNJ7v1UbBCevujUPL)t_<#FPA5ADZ^!&Hp
zjF!U*QyPp_`RjaSFhxLE8klQXIpo4Znp+Ek%qG6#Hn|Scd7f9g60=AO3sBw`tZE}Q
zHN|eo-6!32M}8&w=9Hsc`(KwD$!7@%@}c-qH)r`~(Jb}+Ui@hadXw9zcRJ1SMZsGd
z1XPrAf4Fzgs+79Q4S%ddF(kIMy{_Ww2Hpk{H_`v15lsUBr(;VQmn!H2TJV38%N%<-
zC>c~zC1&2kN+Pe925BfJ{s{$6!-(kgwMf>ItH2{q>CE$2<Zxz0a-}Ag*+m$zIZd?I
zItm&J{>)3>PUCC0qRXjbJjv;MOYb5GLDVpV2tErFtgm>z*MGZ8g|Dx#M?8--ifB6S
z6N-TbgVIo?nr$1Am-Lb**xoBiK<sCz(IPYKXch{wK2Pc`;sleo@aKZp7&!**O{am7
z$d~lDEJ(O@`PPGRa(<mb#7PM_;{>FDc+jS>{7{I1W%Gy#4#<Va=v2J<F=IgW_gTbK
zqB5ZhA3cVJp?}&XXPUCaF2ZJsx19g4=(uVj)MJ%4d@vmfa;>t2XL0I<ViG}$C?=`x
z{qnjY1$mk_$O|ut<3=J^y0BPO*eiUny?$*UKl8wH(;G0L<gd=+CE4F2FSC$Z42rJx
zTXit!5qVEowpf7j{s*Kz&Z2a;PcBxxG2}2Wk%|uBHGePh<`#H>^K}MRbgl6#mvIy?
z7ICDU0Vcb5`Plk(0^qR}m!~hKtXQVF#FevPLCIsX@ZRm>pWLjXvFe{k?`2LsU{Q>*
zLAv5a`nSL!X^?^|7}*gF4}`^Ai&@H79W&{6)R^5ox{{j{j=p#qC%c{kgJCKZf1R8I
zJNs{-hJP4zLD_Qc1LDo%-Ftge7f*qKH)pnY<prTM^e#t-iVG$>!%5h8@U9oI6B#r-
zB$r;usIA-wI}zZJ7XiaK#Nm{ADHU6t$cUnDnw&x*A^=stbr|ConIid50tTV!>I_y4
z*nEP!j9xS)*C@xtD9GJTBD~Yo;VxA3l3v-ivVZ=1)2p^J^W$ZQ;)<e^HZ!8@c<5Hr
zB%?J=LqX1jRwbu2q`IiPq*c)Q2WRuQEf`}qhnbxINLM$K5mPcC&=8H1x6mpNd@#1q
zeHKNBygH>~7rPKlVJji^l1Kzi-bI|HMiba_9&cfUH7e|2j`>nd{C5bRCV=>GjEgRe
zy?@3YMyA7Sh_>Tv_Emh5!pd)$2kF6d2r@r}KKg4(b|W)Cf>3+Dj4{@gK>G))#dcUl
zL@6X0r{grG%e7o!DPB7G=9}j)&c1v2%{Sz1j?jkU0zf7}S_Z-JH_kc6!1UcxxG@7X
z(GVe%vzVZ};BPNgn~2hY2*0>}KOivOrGIzh>hb~$Fme%kQ#v4i82E2Bt&AIC#<R^@
zp}Y{{3c2jU&tVLTSfvI^i^g7Iz>_PD_tqONK>ua$LnG5FSl1sQ+xVa<@EAIPa*7W;
zBpnbaO$9acn57uq?ZR3I%B;ZEN!q61R(<{+sq~^1iJ?Lw6N)6jbxUv=z)D#UEq??~
zq+nPUz-Dtm8OyvdgcY6l7FIs{d&B()WD!JJO1arVp})c;k9Ub=X}kzZBGluCWt=Ui
zn0s*rdJaWwEuzPwFFsbEucg5R3D^w~`i^khgT(rAhzJ$IDG?77&VKSeUmud)qwl`&
zlhYLgZjc3K3{z*kU0~C-m+;A65P$np^*lO{4#@KuWDR?V=D3MPec?D6Br)Lt8%C}J
z_;CT#3_1i7AE-$WrA{;(DbRHY5F4}{pL(OE6ASyJeHaR74~j2H0#2&r;KK9gFvdEQ
zS)G=q)&!3%O39gnKr2t=6~N}dTLHJyYYIBeCy&WxOfGOZNtU)!v{|Y{-+zmc>9K4i
zjxcMr0FAl|k~l&~I3S1UzmRC5F@6|lQ|1y~eB6OU2i{MJ5@H-MNTHHdBqTCqd99f+
z+s=9PO!(*^nu)xT=1Xyws#>Mz58{P@r7$OwMDPiyGs%h|z^R}&TA82{@5DCmO6r9P
zDsn;o#rSL88g$INda!?=oPQmiNFCfCk!N78V4amnDT6M_+`FRWWR=e2NDoyFC1c12
zZpopa_!@s9SQ3WtkSs-=q0D2;P9`Jrf6(dzJe+76#2qbRF*4g_*);B#`>Ty{ihjI7
zyYZ=&GJLEc&e{r>pn|^y9I@HZxvZeWs^gl3QlZ9462KyO1(92ga(}7Ez7#D!Jy?`d
zj+}d$MfSNAdCA;cc*`Zawz9B2Y%>JC@bBRilj|8x$?yg7>E#>Q1x-fF6;aMV@vcWR
zU}<)d<=db<aONgQ{CB97VZ4B~Jx#_1Z~z+vnd5Q~fB6e1KuT$)|KImMkl*(|G%~r)
zj)_NSM~>p<3e(q5Ie)|Jt2x76d>q*be4O>%qF@?SX~d)}7ZHH6Vq(YOj)IX_-*cfu
zp<?LY!9Uk!sl|UlHX+Iy!-8v>rDMj49*SS1dAbPuB6?9qSOj?xMov+-J(y^)i?|IS
zYSvhnoJC;1zL&Py9SLDjh+Ug(yer1#d?Tj$!|p-T0*oMq4SzM0eGkzVzo>-zoLzGY
z5qNN^qg%NMmbtRr;#U)+a+{Ic`QsFfwg`Xal6bPG1K<plRk&3}6vCi+7%f*y%H8F@
z4O=}fQ5D6hrffhGi}}ijthm9u;tYKFF}xn{<0d|@Hk57a?&<@oE^e-qiz~Rd`oc|~
zs->5z5&0(PWPfu^$}^=&oZ-IXJdV>lb55mBs{W}=1^TF3w$}Tm&VK1ezUAJC{H!J?
z*ZRA%iiSp;9>560cUZm}@_au|xKmJeCr)Nw6#Pf*fEy*3aTxfkbFS8}p5|G<gG#o7
z8%B!mpp9F(KO&++(b9C<<Eg%^lq<a`v$?|Fn}87Xfq#<9@H;@1bd_5|aLC$4@F=3X
zaLaC&EyEyn!)GPFZCu2#8ALWB9)M~ZDRkQ>$2t{ZBCU|q4txvIXrSt$7I#bbh7`1<
zFh$mqS2sZ($u<PLU4Bm!qX2>qw1JY&I(&$l*b0A&r+zG2Y@=HrW3<z)2-36fAj*1b
z>Ww}&)qj#0c{Hm%H4r=|P{XTXX}fb@rAnZBNt<DZLG%{OX@H#QqqH+)8-9~THGdiw
z*<>470S+$wu|~F383(wo3Os#ntF5+qtX1)&qh6zsnsub&pYq_}b#BfqxweT=4gA<-
zA$rr|HdjaVm+GeoMt0I$E?ptpf?n&^KvzSjs(+SFi)!V(UANxBoo}=occYT)o3i47
z*F{*m0mPqQ>~M2~&=@OpRvojhJvL~F3F=~j?lC~YZ`gf)ldo^@;|rZRe0mpO-pPkI
z`R?vMTl-?C8N4NH)Jkv*O5Pq0eiKt&)KR0&wT)8^?AvX)d_{r_=6wU0b|XCdi-Ki0
zpnsmL%lkD@&duoNmZ;`ps9c&f&xzcv4q^?Y?k7R$)(zM<GL<z*Tz7(|8F^cWxZMDx
z?d$f;YQVNvnbZl(es>u5x-r$GgWag$dNgoxwO)_@ZH4-^CbiZ8b5_}2B<~i{y=$R*
zTLK@u03I9ByUnQGCbVufJ5g!owkEIvjepxTmtPbLw=4SgE`+ZEW!se3Dp==|RcS`g
zHd^E@T6T+;y&JS_^A^{ajEZeU!`h9>Eude&Fx0DU+oX}Vw}WooqFV0~-*b1U)|T)d
zs}$kW8rIVq($gNT+76{!hxuuV_qi!5^>aa^x{*GeP(Et|OR7_O6I5wur@fiz(SO@V
zjdo_t79IMfp+j4^4SV3x#$B{>6)jMoF3aE2>aT(F{EX0@c3a=t&Udoitx%htt<q+r
zGrOWP>(aU%FD}}I`*d=8nm15yusP{}nj7pU#SP81cS5%}*jaZ_KldB#CRLR!`pr^q
z^pAIg-NcUY?EqQORc>G%T+jvG_J6vHs~gy)8|<o5rR(L;h?mso{|w2rh>bXWcIc?u
z1dY%Iza)r+9`puyT03EXz?<tTi#^;87nq1Ae3Rg3Xcgw>@qft<Z+Hg^koVkG;`T?B
zzPVVv@fIF=jCq@E5xog6>AQfXpeIKvk@G{$QVv=k?CkXO9t_ll(b8>PkAJqkLvIuB
z(Az{|!yfXdC2Xizr4@uoJzZwdTpn-YC4U<_pWQ)F<Q7m+>apZp@#!+}+xrGv1)a6K
z19yW+%9~#UnWQVX1BvM39l#<+o$Y;tjaTGtkxn+IbVEGpdLKck@9Mrmm-+N@S+J<R
zprKB5D>0-7p5$PVD2|2#ihuC)Gd4hxSsB|2;>%&;tKCv6EEkP%C5m#Er%F3Z4i^|!
zd^r?SBzyZu>RqtMhcBOTT)|0vO_S3(4Z}hH=PyFus&9bk!O_!W^*#R+KDeFddN!iO
zX!kyyTy=9E%Dp=Es<>EYViGQ>!FVgLxjI{!tx#NJ+33)xmqUn9zJEgG*$^grsCyeO
zf$dy91%ifuo%%@)pB$3h!M`_S|J2iZm9)hIZn1#3g#~o4OqzE|)l=_H+U%O@!X_jF
z4>7|iFY^t04qK@1h!y3(&K>eT+G}L~G|-JtPCK?r4oBpuKxMPJ>^2VGXUQ_Wc@Ar}
zheHnU(YyT88*=?eet)7r6mS#nZ`d2$3<Q2Z_pX8&%8fPcXarEh;qah{P7$x36zve#
zVZwn26Wk`$YP-|Oik-4eL!IH~BS?9J_kg<`XdxgCe4PqTp72#IZiGHLdYMbf)I_7I
zhzM3{zR1jiq9U^f<VXQ4Bd}=L!Y&_@Tq5H*F`3lo+o!4G^?z}SeJ6SD*+gA|S_X@3
zLH0+Jzv;~$=#P6xj`Hc~?pntdVk1a|7UDZ1|Gbd&WoRSu8aeN#*%B-yG607TMm0z|
z#MAc>Jc>?Smhe|xWbTiM!XPN*fedOj!WQMwF5LuuaaEPA5Ke{UXx4|O67IN1J>3=k
z+qIEPjl@(He19WgT+L)RmAH#}II;sV8hffTc{3qle-uR6M*xJ~E*{Jx5ba~1{AnSv
z_;iYg^5^bwU)9F}`Bjm?8?fegiwF}|a$MJ85gk@b+7Oq7EsPdE&4x)lt+8a)$C)<C
zA4hIGe;V4TtzSRHd=H}(CI1V!x~v(XlO$K7-a$s|Re$hiL*z8oCc?P|R8Bo><IGDh
znvsV$z@U7N7Z^^y^a~6f@FvpzG9njfr}<JMU9!XFM9$u}7Z|p?+(<oEVzw6;T7McA
z*<{=H0>d>;gleGs1%~awf2#d8FD|T*+x6nYN&{UDoT_>kfb-Ac;zGOoUhCq*0>2IT
z_qxE^&wu#h!b;3=b3@P=BXm|Bv+nld!tKR{ZLCo%!QEb5*yiHGb`F{}qw>EfH2x-D
zSh$IJ)D9;OksF`p>cmZC+{XfD*UgA;<f%W!-HsbNFP{cr{kr|UZLgU$zHG0V++H)O
zo@x%M(#&m5;P#ry_TcNTpzFI3zMEb%SvEU0;D2eGh;6~rt-;dmboR>uMVBS9#=kW~
zEE{8kEy#Hba=tT=a|?iv-FmkH@7yJbxrJuskApsZJ|<Xs3sT;Kl(!&dHz;<!!&n~y
zg#5<>AKxW=yJL&DnBpy_SO`LMsF6Q45{XZ%@WUwn5irAFAXc~uBfJJSxCYPb#PZ(4
z*?-ioSl>#Q<y>*8o5n@nW@C7}Vt4D(${lYv+l0%va(bG#+i$Ry?cdoomx2f7`z?!i
zimtz5zP;ZvPa}v`)rpX~&*_FsAwrIS{<PwdOIfhnzuMBAM?qRuqIIo`_DqKRd%zi+
zq3f!?3?ihdSS?$(?$*^R-9RJGo}PJ#Hh<}TW6j8y(4o1cT1(@4au$odMoUsb$hEbm
zN>?3*V#m6vr{8Lz0BR$>u;n}l^Q`xr-xImz%sWt<(uE4;LK1nZOUd7kVp3j=Hf4OQ
zORH^GC~_#H#PZi{aY1vkc=Jc0$Jp@`qa=S5Tn0i0_`W$T_Lxt1i|B&#1Jx7HPk(p+
zxwGpRns^WY(|^2se$M*;*d2ZIkN)o9>-Ycj{_8%Nzk366sQu}8$~-eLqcu-G9p!EQ
z^PV|eDNpCU0XgrT_xkR(`UX#)T=_r9)T(A5&<&=7mFMe}f?dT(=P@n~)i0yeY2qI*
zu`-l66|U!`_}S=66j1ntVzHm3k$=&})Qd7n&%{461LfpjMuG2xke+zp79R6IOV#n!
z4<4JJ&b@tE0)HAMUWC(9A>)ntk82hH5jocfrp8oWYn`ya*GiCoHoykOcU<<(w?#QO
zzZkP!={cX!{DYp+(o0(-#=KS9*0YnpSJPv@E3v#>-1c5b>=ECPJWcUmN`KntOP_`^
z^`9p#nwZpozSp9Od-b31w`k&i{pSZQns`wE`L8XS_^bKZX7$dkc`NP7PRxj=XDylo
zuP3(8sW)>bI$T>OD#9@%Ovf@i&p23@)Rtv&Wl6lLXCx=Mw)vQ6Bt>LXbGkwVnfxDO
zs5=$uSPSXzb%ATScp2f)CVv<#9H3ZdtyK(Y-7BxcQmQbJ&Sxe??IZQw9>kLzm|YWv
zI!;0~EM8>ghU1Y+;_A*lwmd@F`G|yiw#Orzj#%hQ+vAai+G+u~@y8<@tU>u)WYrk7
zTk<xae-wn2i&f~c<TG2=Y;CMmo!d(~I<gimG9}$oFl(nj+^IKfx__hXoOexcv`uSl
z(;3@zM)BFEGq&lBZ91do^ERDvr|FCqX$(jD!kV@y1@mpv6pr+S5f<y9`1S&ux^zQ_
zG{gFF%Vy;z+Fkcxw9#!FbmOuOH&|D=vkUD5b+gj;VujEAVuc&nrV=ip&P2I^9&4K@
zr#c&QUR|-*32ujlzkh9^Rw$q^Jt!SbtFG4uq*07a|MWw;;NtXXdGLs(NgT}%I41nj
zSpFi9=;GjvFVzqWdO^t}kIWN#`S`r&I6$H_kG+lJ>nLC>qwKtQz<&|(^U>HlK;$Hz
z(36O*6p!&JK7!2)smBnqdMU0?NP&sa`=z)Kfg{tQ;^@&B$bWk@ULKrBFa$gzA|b-+
z#K*GnhKK5SieP0RowvzprWjPVx$dE<RgQjEO&8Bd@{X*RKgfZ`A^tZE4vbkVT$z#2
z-q3bBYEHu?jzMw&CqPu^pj<vS4rD9BiuEB!13Zg|48)1QX9Bq|&SQ*-fvOY8;k>KH
z+7{k*Kg$NJMSr11UXF-jQa)q)tOL{Z0H5Sh3CSnTMaB0qu)K!xPwC9_S7Hpt3|J4S
z-QE<0qSs<U4&E=3Jr-hPC^{aX%L%nI=h!$fg&4qsnB}Y*sln$X%$QU<3uXD~Iw2e|
z+6#_Rgq}I5`eLQ$>@b^=d;24>`u7Jpu^gN{&lq9zIDZS}v7o}4NReJbD*4fnlt}MJ
zr=y=Z^Pb7mmRJPw<hblt&`s-^5zYgC@C4H`YUcRqI;$D62`!C=87qq}i0g0>%y1bG
zV#}3g3W0hMayvQF=1sArD5lJq!^uGNO@wUb$Njt^mkH;DDY}4`iW*mK9=BHS-Cm*4
zq;?Hp@PBO0EBns}F37dH)Y_ea#vHaHqFk^=61#O(U%2{5!D2>O;u~yP57rJ!6f^Pd
zjrKO|YIfcu*TFQMLkE9*uzUwU=M-Zs{rjNhO2EB;QCQEktFjIA|JY%EF<2DHao@7P
z-ivu~&sp0$eEy`=u`e&{>9qi{HeTo_%ef_ZYJa_e&4GS(tX>Ok*mj%5(+ml@tKrzM
zG43*)$xVjiLK&=|VvzM)XA?@4n?GIK$(KRG(i5?QdLq!|GSBs3xc~Q}ty8PfvdBuK
zl)o}@C~6DMrXkZ9f$SE<Q%@zhc!Y?jb_uwXl!~*1u5qb9^8wyga;^Ck0PkFkyC;rl
r3JB=>pZ^5^|NoQCBT)|Zc^y{^gaMFN8vp>Y<dZBUH3q9A00000v*h+k

delta 7139
zcmV<98yw`tNaskfFbEFnZXH*O_KM1Q8vp<#=94}M9DlgA|GzW+4j8plTRVE#O43eq
z6SrPx)Aei~zOi?A?!=iaO~DcyiqsOM9d(m__InN<BtQau$abPl#CvCJk$4;&oEHv$
zKz{q<9|-CFnfY_N@OlqPZ=R-0_HaBFZ$=9*@@8~Fqjco`Crjwaj~DVA8&CH3|32Ki
zKiu0NPk-q$j8|Chj4qa;m(tO{SseYTH{c!kag@ThpJ>8@IKqDRM|=2x^813O-qcHx
zg5U53yz;Vi9w%7zdEh58i!W0$BrIDl<0Sp(LcK$RL?gVL1(Lw9)@dAODRf3sNf5b=
z6Y}!(^t+=T7XK)EUV4cKy#rxd-(l=~sUTFof`6CkYDuwSmL@?oQ+*=wLG+A9vvdw$
z_lwt4dg*0h`jZ!Cyx!}CvN%h8`mZF;mb?9t>gA2zR)rC=E#@b|Qqt6W5vL?$bUGjx
zSxO>Gr*ulvm@GZUh?gveY5ESv%~JBqGug@TbRK8nbO=?4-_qgtUNZG#sP@Z<ke?|D
zB7c@rZ;GvwbWX`H*KzWWEj^zO6`8+~>v`bMNx;aICczbSd6~ouUi{f1$t&~}-5<pt
zAJyzsn{3D5G9x>)>otfUbhx|oiq5!1#6-v|VM<8U+%Pf(A)_c2C^0xbMJ&7ysgHl{
z3<{~)-BI6n`u#V}V>gCeGcvcdwHorzs((Kc0ij&<pT#qB7<u6;4SWW3NfSy6)j9>e
z2_hQe^fH=e%gRtRrMdEwz`F>kt}|c}f{;^OtD<l7a<B7Nc6a#8o&KAmn3|avKt7fh
zid*@tS(JN)J%JLc!0{Bnaofe@5QQZhs-HtubQm*6{c0bg37y>Hi%xSE9L3RPFn>Fq
z?pr7>ebt-OKI!e@EW?Kggf32wgax&?T~ku;$5G7Lr)q+}hmy$VS5ixkr@Kk<=T0s~
zqnAsXaAokqW2iBkr)->yKHC`(U2*acpg9AgwQ@@RED6$8-h@FFHlq#7HF&O$b`CYM
zrj94dy`3(pkFvS18yLsv20P=L!GG-xnraWH{%~iIMZvEb74~4a9RvEVQAoAn#P1t=
zW40#!_DK>?Gd~w8NpI@CqXr?mS_~fSA>})RovFXW{~%%jr(yuI4QF*;^@&c4Xr<M_
zMSrg8Rf8`vsL;Ymu40D}6j?NQ;@03vvj#hwuPNND#O`iY6Te3#p42LFJ%4NJcv4p4
z$)+mtq=gbsx+<|T+6`6WNlPUzGYHtvXp$Rdu4Ug{L6Ze<N=2Hd-Jn;iy;JR2S;%!1
zYs@@|sZXhw!1Ag_%?zHn$a!nhQ>jsMapL7?@omebPAvpsN1AQ7Ot;&cm8+XFF+Aa)
z%S<ziS9zyXQ{i}7+1Bxx%YS5TWfLQ+YFU-?ih7y6EHOIosyx0mhR4FSho=_x)d5z@
z65CffIypETn_SW4>pvLJYcb~P%Cxm6FO&ExfJHJJOLi&EVv3>As<#ZZ)yrgWa!=$^
zKqKf?K(Do;kz52hon1w9HOVAKKBM>As*1y66{}Z-WipMX>}6E2g@3>Q{LzGxL(hNb
z&1gBC(4|3JmA@%Q22%utrGdVNl|wcb(%f1QWH#{?x5;&o&WpU#m6%0hEI@f%u&RyJ
z)R^6nyHC319r=~yn^TSo?SE5hq?jcf$Vc;I-kjx|MYGiNoB2~0^d`4a?{u2u3&UG#
z1XPrAf4Fzgs+4(^8-G{_GbFaOy{_Ws4ZI5?ZleE1Bbo&MkH?lWE>*}2<bwaBT;|xz
zLCK(!D$(;ERuXx=G)O}+@lPml8b(B?Z$z?|Tm>F^MrWSCB8M|Ak}EZ_%r3%!&1sTr
zt)rl(;Lp9}-88;-E4rL2#*>`BxAZQ85JU|#h~Tp@!TOrldw;X5RQUS(dc^Zcqll*C
zKA{+BFenXGs@b*?c||X2g6+MQ1jK%Z8Z9!zj%J|{>+_`EB2F-Q3x6(njge!}-gFuW
ziF`$W&4Pqmmv227C+F80M4Xg>GfqGXhzD&7%MXPJST>J{;DB6sj84UyA2J41Kg}YZ
z5|s&6_~<b#41d)wIn$ISb`ds9yyg6VMaNYOp&qNW;e+W=kZYACJd0B=6q5*2L@`Ni
z@0ZsNDag~bL0))C95)iV$_tA{g}uT@+v_*>@iPxBH@yJ^O8)9BUXuMi@+u3d#h~Q1
zeytAXJR%<m%N7ez-v5BK$61u__Q}PHH-;SMB~sA=ynp5;-rfQaaK6sKimo+&<uZ=q
z#UhTBGr(l`E+1RJP5?ZX;_~#BloiVqm$-5kEGT(Q7T)_^{F9qiG*<od=!49u2P}#)
zHb_^zNdFcXBn?t<1tU9x;eoJtYcWgts$(YIjvBL@M^|!l!qFEm<7C$}U@%OD;;)l)
zU}ygg)PE3-E+|{BeL%cfynAnN>f$Ld@aD|+uDl?WhTi4qP;tRTXE+J_4&L<wb|Qm@
zhvd==8MT%BXeR<3@*-duhd7)vFQsCu6B$v|O_Nh7L<FGfw+>_6B4d*OBw!GluFhb^
zfXyek%jiW@a*c9Kw1V92B*HsQ9qvLkFX@$SD}U>sZ+g{MW`4ZvP+U=T(q=~TIv%=}
zG|6a9(@>Bzp;gH#4QXD~UD7J({DZUk+ZK#5o5M^_f1s-y$%rl)5NL=-$vbG32R;~E
z<b9f=LtdX!v5Rd4Q`kyKy(AJrlXnqksn!IxT*O-#VU3I(%rReziT@74(*zJ7j&ae2
zv47Xt!^m`a4bgUd&HfZ$q_FZE7D0M29fHgcp^yGrlHJJ6PaxEuFJp{#CD8uCYOx(w
z5m5?B#_2ds>2fU>Sc;bpzWL_G%d_tue)A1En<KQrTmZ-fNXsA?{>C}S7?{3a3OA;K
zCK@7SauySG7yRv|Y7<c!5aFBK_X7gcU4MEvt}ZXI03#QnH>CsOhk^etr<HLd%y_mr
zS12!pxI!+w@N*c0B37w^(xS1~81NKIGYisrcEOe9kSh!S?@&=Qz6j%s@dBJWO~xvd
z$Hu(7u}ECXUp$l;rSH@J0Qt<hL}5~ZB4|i4j>oVA0!67He;%_G!@*rx96^~C_<u$@
zm?`*SpTEapdC`i*P$7{SND|;eC%6oNfSea0ur38lw19chIgqi;3qx1}dhcMVw7)mp
ze?S&Nl%<s0Db$iH%nEszNLCIoLD7YJ+!Bqm<rI@OuE@}#xvgdTSoFom>hr}nOoPDb
z0HN;*H&#fjABPBO5u6eMG~v7_Pk;G>lI$LR_q0z=R}8p87L+l}wefa=P1jz+rDH+t
zYuoeaJUSpRVh~R39h&1d85N8JYmmf*BXStI4&cWHOfx7Qs7RnDJ(Nn+Y}LRxKt$PK
z7VxRJa(O0Vf3y!n;p{<q2T8z5l^k4n{v5_wXJf0=($t#ZkwuF+a}b&3iGM@{IEnWw
z;8uD~!3gllV{+Y72pmq5rL7c=oa)f`B4m0j8;K)Kb1gulu7V_v&~pw5*I^`DXpA4m
z*_63N7aw<|(Si39qJ$U+3{t3M6$yznSzc=<^tKBgJr_<rh-M<ul=H=$rK(ot^9KP&
z0M;#1B!Uw`ok>;%5mAQT<bTQpm3Sw%c~?>|OpwV1`4{7_^VXna-qnNs`{eBCMC#!F
zh&%^#1q-u8N*Q!X=H3-0C#!TGNBL0IP%?&W;HDq?iLdb&qAOtt56M#08Op@B>|`<`
z{|Buuz$J>NLEO<2nxWh-%cgO^++S@_WIFx^?Z&58%J8wGK5Hvnf`1DB9B_zdL+7$W
z9)}&*WT1>1CrJRS<`sl`HOi$P``Xofda#P69BTI}i|lhL5}Ad!@Rmz-ZDnD5*k%ZM
zrl5yYOs;1%CBv7*r<ZSK7c?0yS42e%iFZ8`5kpq&o4SJs88;Yc0yYLR$K@XW@)u5k
zl+sH7zwLb_zwLi)WPfs<9TQKUPC1H~E6jI4;|#B_=8TW=ailNsan^H-f^JZy5tFW5
zL;%W)i7kdZ3PxT(<wA!-#n8Wlf38bwi~oRZLX<Uz71}aO$BYv_6u(CEbP@JN^rDQg
z2=W+2>L}YDOf=X<+&2(4YphGbA~0W1rEPXcLKqZc*E$>Tihpqh--vGhuzS$703%3Y
zL-p+7L$t*&D{BMJt~rH}J-E!HTe)hM$+g1bS2L+{Uy|GT;}ndx2!G`oda{=Xz!@m3
zaI1<a#7*-sS}v`WyDNMfwt8HmDvHybvH?jf=BpU8;s)=EGw|W3@Or$DoA|uiP`0hR
zs}HEUxVcU)&VO)k^@W=}RZA~bBl1no$>x}pXG)Ve!;Q*$9H)2YoJyTk{Zp9=^ij2J
zt@llx{nCwm%e@i#Nli|n^><|zHI3FifEI@Duwpgj`F@;mr=aXkoXor^_>b5!*Gewq
zFz{FBT&-U}E7F7qg|qVBd7}jzbHhl{9kg*P_eVrjFn=vgr%j>i%SyS@i!z%l?7azU
zAwPjq8GZ*$Q(onkARn@}i8e(T81C`yvSk>gZoI7o#EnhRn?__KL;|R$k%Gg0c5sx5
zD`^F_b^u~X4j-zXf^oNGZ%AQLj485~yt)ZgNwy)_?ecp$F)9z~fF~&FtOJy&iLLO*
zJSJq(Vt*Um`MF0s-HM=m_8ml7k6FFV&snu3MxNzrPYnc*3DodvSlaHOSg8`IUeadR
zVGzB;ayg<-^ikT%u?@e;qUt|2i>$K^tN=$N{!k-Zs*D4TS4FD6vDH@lLe{GI(NV8a
zNcB2W@lSd1?>cCwmt5OKs0My$vJkzgxi8icE`O%_G11FTddsCNWLw~F-5Tg>=v39x
z@zPv5Z`ZANaOWHC#@#UH`lhVF;dLRIZp87I7dzbCAT-7bomEG#YmW^YVuHF@pnD8p
z_zk<yZ}Ro+eZ0|`!>4!g<(+(Zlke{CvvXhUG=sNfjamt=q2%rH<2NzYrjBZDu5FxZ
zaDU=%!{sXyT)6NX;JO>}++P)ry8$L$UEZ$&i*ANPw}e5Pp>k=`JSWt*I*2u(y`Kfr
zTQ^`|%T(4tcijn^W~go*M0W$Axo_Gts{ssOWl|^b``v-w>&8?MCw9Y#>*2%ZYP}vV
z+zKXaO=_)y{;aayB<~jCz-z&PTOuX9Ab%tq;l9l<-zIo(H9Jvh=C&rV0lwQbmtPfZ
zw<}!tE`+ZEmfMuqGOTmSsx-rG8!hq{Ub}_YZV0@#c~9(XhS4^{XYJPK7T~g98BEr;
z&(g@-+kwMwVX$`z2)a8MY)d?lRf_OwjRR_p0csC#Z3k<u0|~VR2;CIM`lY~E-G9)a
zPOzZ0kto%vya^1ov(w&8xasY~Ogl4X3n%^B;G`|whCT3T<1SjciWV?Ym*sD1_1A!f
zenD_hyRC0+=R4W%Rxr=bR%x^0oLym@b$Q^9S0io0jXecD%{#6)*v<4m&mDOaa|d+o
zt<&utdDbo0Fa3_ZNmXS{zgbGA{(t`N$eY+9!5uITd6gSj2N%{MZ+l(E%^TRHJMyYh
zmDek<6tAey|Dltq38pxFe(0#$gr&#}eodH)e9#-<Y3+pl4)4aREcS5wT!1K^@J)iB
zpjDWg$Nwceyx|=vKt6C+iTfo{`u1Y=)?0YwG3ITuMf5hfr0)Zkf}R|yM1RirF-tkh
zd9bt7FM7~m8d^)YaRJ-*mcC8ArEe334SOh_mN+A`N-NBfdb-S@zC7N<YXmoRKD(o)
z$SuI8)MLrH;?rf`w>KKL3OZ|d2kr*KR5ZT^lqs*=4povD?|?4R>TGW`Y`lbT3yrcd
zr5i*lulEUr`mSy?beT^dmwyF|+8Z6}M7I({=D?Ez3=+lBP(TrWdd>zYGAnI6L3}w(
ze6?Fjh2^3Vu0&DJid1Q5$>9RS%$GwUMY6Ylq}~O4eE8})#}%B!*EBhu(=Z$qfBr1w
zt@;Lt9vnS8R^N+1;e*?Gu4f}kjCSwS$yGP!q1>xeugt|V6O(X3HGjridCk??%53$|
z6^>=2L!Vv_Awu~RLe+*a(ZjsA;S$)+)l(p7_}8hQ)bPn6$sPQAGgwePtyf7~@Zc6a
z_}RdN?xjrgwyJvS-A|is*1WKep}=F(Fv`nfN1x*ys#|EL!qoXs-bZ^CE}jOu@hND>
zR>|Rr92rzL+t+U6;D3FVOv&39u(*3T<anSQ79iaxHyFrIbf5yC!W|TQi@S%w?-$-x
zFhjYq<|(y^Yd9Ppm~a;H>WOK%xY84jRG8qtVy@>qjjY%y8$r|=Zf}B=H+T=Y%aIuZ
z1Hl)z5ET%<491<)Cr7UeDVgf<RTV<P(#{vDTu@YG)_@!-B!6ZECJ<ZL<wKHdY8)qK
zpZa{iHC4PmPO<N#NLK4GEl|r~kuAvnX!5swcL@69?v%rVI{L@f!HC#760wN*j!;1_
zBz+kRNq|SeyJ@xrlZp($p@S6;QjQ7rJw%(L*Ow*y6&IQNBcebH3aTKZ;2e^Ra%h)s
zg3i0D%2v#$f`5KA>qAoscc7%6?u!2H+EAxPVyX(h5xB2rvYSfW#XKC@ksFOYRhhh*
z7_#3BgzOU_$Zi)vW)X<?u}|@|kXU>=#Y4q&cR;b~<G={3NZ>74^SgzR2`f3S>(GRg
z)si;EHDn8;g-^3#5>IRJS@m(|S&GMz3@@IBHfrnF4}Y=P^e9Ei{{pTqYX;~f$(7l6
zkkNYCyxEw#oN65s-2z*up0$DLr5DXm#T$TDzQijMCtv#&i4Hsz>3-dj3+2;%?NMH`
z!}Ukb-nLgHw!1z_Jyv42S0q}0Y8F{%+xCjYHBE$Sp!*ex?a+d%{WY&ftdQIFYQ#zd
zT@9S7dVd!P^)KOSM7#T5>uN-U-x^+gT_o-od^KVvX1KW_Xp9j$tBziGdo|+rYQ#3y
zsFmPuuSRThHDWslO`2i+Uln|R6R$+vL;!1tBZ|n4&vQBBCNl0*A-U^j#MkoFpX2t(
z4V{<IgUEi<e%`hhS!!Rl7g=sEvQ$qshg50iwtpsYdy!>(w02jN_FV|yO)s)6o1Gf8
zwN1pf=<3$!>UKK&^`NNBl33&4njw~rvB4G<y+uWD4l23@BFJv;+n{~!67}3d6^q9~
zA3mQF-MmFLZ&A%#RI?LAyWVN9PXJo}eSwwllD*xr$Xg8Z7K1DVp*hkho*Ie7r&aW!
z6@UK(7~`)HTik>xUIR;9ga376e{bRNYgcS=rOR?|xztVLqHwb@zg@Aub!q61*Qag5
z?Op{v&D--g*!uSG>>f?QgYpHM=B1_UZ?JDK&@562Vo@bh3t!X~nnHve{~&9{A(ygd
zw|{r0K97R5szm3tD%vv{?(YF-Y=*9@`hPNrkfvg>Y~AWxSF7>{8gcpb%tLfa?;C3d
zzl0_&B-L6Pmy@$t>`k8XJy84hfyzxChGIXvsoi|T^E|3<NhifW)M#u<&%q$8U1?rM
zZcFoS)W)?@rCLnlQ}c52x3i#>6Rlkl7whHKhAb31l<{Hpd$zcs1$n%SqtIjQ_<xB}
zmcI)w10ex?mmQXR%%{6ptjtIKfd&%KPj~;hv+Em;e1QMyKi)k*XZ?Tdj=uRve|PZb
z5C8Mw&wVg|_XgxJ_ov?}^UT1E);vv=lz{=~J$=wpqRx8*a^5@d_3K*e8@zdP<$o{p
zt2rZqdN3HQI)A4W>?=k*k8z2pet#L|P80uli48!RQ{jY8$_2CzMG=K<C>Q)unw-3#
zdQm0qx%gLYprriEDDpH2>4^u9;xYfT(geQz-edFAxwkLN;7_B>%WzsMro9m*6?(z|
zR_Jpv(DlmlLDL-j7fn@)0y%i0`j%^m`QFq9^P46O78>*kFFxfnUU_YAN`ISIOCQ?o
z6<^f!nQu!IQmtbDB4qrCZ+xDn_)j?P^CeSbsip#xR?SSB3fybe%)O=p_ggh{zp223
zR?R$UD)84<&HU9YV6&pNp7KPGk9yXk1?;;F!Qr1%Z{|#!xb|OEyrjpgjzxQsztDWS
zt*B+WU0G^x>RHVRu9-gNS$|Ej5~w-lA%a)_FG$p#&UCD?^6zy4ak+RIY0)OgG!AmC
zvxYMRW%r8CSfUvN>3num)IL(*?TZ6a0K~;yHK=BnMUkxBa7<H4T;2K0mPa`|AJtIL
z_LyeVQIEXR_L!zoTP-X%{+MQiH7K9YtQv!MOX=own1YaUu?jtwJb!7+nyrnMs&jkE
zOh-1PMFyr@YG>`ViaVueO{27(^ZK+&+jPk`O|ngsY||v$G>P$cn<m+&Noq?q71-o7
zNsIJ|BQ0W0hm@8EZPFi&X%8*j&V%jS3z+KC7#-3V>&HWzmG5YGorTs$w{6>v%VOMM
zz2eSVv|j+|m9`g0e1G8=N8G?Rm2ebwCdv&=S=&T8)mfACY9^pga62RvYzsi6Kz^x1
z>F8Y*l0P7gVx)Vj@6!brr$@_!M=VX^Xm-FM?2pFs7kNY%2WNaih}hK&N*;M+p3uw3
z=e-iROC6h1n#bNn@pTk1mQi-zJK(>F`1xq;9U#&ZPasN!S$~ShloTJq=7rQ_2(i5s
z*F&VhMCkoe-1oqN^iXm1Xbj{%8ZQsdBNzgnXpxX+bwFj=c!NcCJSMmrNat;Gnkl;O
zHrH7+waU@js%i5KDDTL6xrH2P9O8e&;6R%-<4TZX_J+38UvnBRaSW0JI02$M2NCnJ
zap0W^gU%0eYJXr~JQE>KG(Hyx4aD)05z$b90_j|I)mYoYyY6T8fVC*J$jcE?Oe$t9
zKbpaEdVo*zWQXKa&PB!dF|fRb@z3bY^H*XF+6-6^;N9L7grZloAU|wSB6}>vMpJY=
zAXpG;WzMm7z6&vnhL{zs8mYk-Bg~joItyjR=|LeJFn`($j;Vy6ISBk>mCxB>HY4};
zM_~2u4+>&An0lTu!sc-n%2Q0nnNN|#LMr)5mXt{EMyI16IrE;&)1+7g@$Z;GP*79r
z5f{z_eoh9{J!<Co=|QU*u?a1Wh8Zi1E{N-J5zH_R0AkCPW(t9N5OO;?%FUZ%i7BQ`
zo5RT<=YN|B+4PV5MMEwV&Iwa=0WB3ZuG&0qtv<NDg3)B|8o=P$n$M3<Vyl8&n@g?T
zacInqD<aATTO`L@SM`Ofe-tccgeAVlmi1uxphPhf-`?ilhF#6hd*nKprgP}vZx5F5
z;pd!UjFtaBXt@$_?~54gnRZpSVgBzs%r}EYfq!)OE&KMpm<RWqwY|d^Pf8v8@-m`c
z3(#%jg@v-5TY{(73+5bXUB~LxXv4OPC7x!e$z2V{eob?i;Y@Ba92a_F{S<?&-#VL6
zqFn#!+NQn?5|*Bb71R@fewTT!2gCipo3>7^M#~~AjZ*PS$G51hIh%$|V+7t?FjYO3
z;40z~A|5g(;7(F1&N{lrrT#1icw5P}=2Hv2b209oI8rL0_J8~X{Qv(0ldB_94(e_l
ZSBmzE%6J<903_y<3M4fK%_9H+000KU-5vk{

diff --git a/Solutions/OSSEC/Package/mainTemplate.json b/Solutions/OSSEC/Package/mainTemplate.json
index 006e6624e61..e6e64716444 100644
--- a/Solutions/OSSEC/Package/mainTemplate.json
+++ b/Solutions/OSSEC/Package/mainTemplate.json
@@ -152,7 +152,7 @@
                   },
                   "instructionSteps": [
                     {
-                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OSSEC/Parsers/OSSECEvent.txt), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
+                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
                     },
                     {
                       "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
@@ -348,7 +348,7 @@
           },
           "instructionSteps": [
             {
-              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OSSEC/Parsers/OSSECEvent.txt), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
+              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
             },
             {
               "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
@@ -501,7 +501,7 @@
                   },
                   "instructionSteps": [
                     {
-                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OSSEC/Parsers/OSSECEvent.txt), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
+                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
                       "instructions": [
                         {
                           "parameters": {
@@ -691,7 +691,7 @@
           },
           "instructionSteps": [
             {
-              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OSSEC/Parsers/OSSECEvent.txt), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
+              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
               "instructions": [
                 {
                   "parameters": {
@@ -700,7 +700,7 @@
                       {
                         "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
                         "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-                       
+                        
                       },
                       {
                         "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
@@ -760,15 +760,15 @@
               "properties": {
                 "eTag": "*",
                 "displayName": "OSSECEvent",
-                "category": "Samples",
+                "category": "Microsoft Sentinel Parser",
                 "functionAlias": "OSSECEvent",
-                "query": "\nCommonSecurityLog\r\n| where DeviceVendor has 'OSSEC'\r\n| extend EventVendor = DeviceVendor\r\n| extend EventProduct = DeviceProduct\r\n| extend EventProductVersion = DeviceVersion\r\n| extend RuleName = Activity\r\n| extend RuleNumber = DeviceEventClassID\r\n| extend Classification = coalesce(\r\n                            extract(@'(classification|cat)=(\\s)?(.*?)(,$|;|$)', 3, AdditionalExtensions),                            \r\n                            column_ifexists(\"DeviceEventCategory\", \"\")\r\n                        )\r\n| extend DvcHostname = DeviceAddress\r\n| extend EventSeverity = LogSeverity\r\n| extend SrcIpAddr = SourceIP\r\n| extend SrcHostname = SourceHostName\r\n| extend SrcUserName = SourceUserName\r\n| extend EventMessage = Message\r\n| extend FilePath = FileName\r\n| extend FileHashSha1 = FileHash\r\n| extend OldFileHashSha1 = OldFileHash\r\n| project TimeGenerated\r\n        , EventVendor\r\n        , EventProduct\r\n        , EventProductVersion\r\n        , RuleName\r\n        , RuleNumber\r\n        , Classification\r\n        , DvcHostname\r\n        , EventSeverity\r\n        , SrcIpAddr\r\n        , SrcHostname\r\n        , SrcUserName\r\n        , EventMessage\r\n        , FilePath\r\n        , OldFileHashSha1\r\n        , FileHashSha1\r\n        , DeviceCustomString1Label\r\n        , DeviceCustomString1\r\n        , DeviceCustomString2Label\r\n        , DeviceCustomString2\r\n        , DeviceCustomString3Label\r\n        , DeviceCustomString3\r\n        , DeviceCustomString4Label\r\n        , DeviceCustomString4\r\n        , DeviceCustomString5Label\r\n        , DeviceCustomString5\r\n        , DeviceCustomString6Label\r\n        , DeviceCustomString6\r\n        , AdditionalExtensions",
+                "query": "CommonSecurityLog\n| where DeviceVendor has 'OSSEC'\n| extend EventVendor = DeviceVendor\n| extend EventProduct = DeviceProduct\n| extend EventProductVersion = DeviceVersion\n| extend RuleName = Activity\n| extend RuleNumber = DeviceEventClassID\n| extend Classification = coalesce(\n                            extract(@'(classification|cat)=(\\s)?(.*?)(,$|;|$)', 3, AdditionalExtensions),                            \n                            column_ifexists(\"DeviceEventCategory\", \"\")\n                        )\n| extend DvcHostname = DeviceAddress\n| extend EventSeverity = LogSeverity\n| extend SrcIpAddr = SourceIP\n| extend SrcHostname = SourceHostName\n| extend SrcUserName = SourceUserName\n| extend EventMessage = Message\n| extend FilePath = FileName\n| extend FileHashSha1 = FileHash\n| extend OldFileHashSha1 = OldFileHash\n| project TimeGenerated\n        , EventVendor\n        , EventProduct\n        , EventProductVersion\n        , RuleName\n        , RuleNumber\n        , Classification\n        , DvcHostname\n        , EventSeverity\n        , SrcIpAddr\n        , SrcHostname\n        , SrcUserName\n        , EventMessage\n        , FilePath\n        , OldFileHashSha1\n        , FileHashSha1\n        , DeviceCustomString1Label\n        , DeviceCustomString1\n        , DeviceCustomString2Label\n        , DeviceCustomString2\n        , DeviceCustomString3Label\n        , DeviceCustomString3\n        , DeviceCustomString4Label\n        , DeviceCustomString4\n        , DeviceCustomString5Label\n        , DeviceCustomString5\n        , DeviceCustomString6Label\n        , DeviceCustomString6\n        , AdditionalExtensions\n",
                 "functionParameters": "",
-                "version": 1,
+                "version": 2,
                 "tags": [
                   {
                     "name": "description",
-                    "value": "OSSECEvent"
+                    "value": ""
                   }
                 ]
               }
@@ -825,15 +825,15 @@
       "properties": {
         "eTag": "*",
         "displayName": "OSSECEvent",
-        "category": "Samples",
+        "category": "Microsoft Sentinel Parser",
         "functionAlias": "OSSECEvent",
-        "query": "\nCommonSecurityLog\r\n| where DeviceVendor has 'OSSEC'\r\n| extend EventVendor = DeviceVendor\r\n| extend EventProduct = DeviceProduct\r\n| extend EventProductVersion = DeviceVersion\r\n| extend RuleName = Activity\r\n| extend RuleNumber = DeviceEventClassID\r\n| extend Classification = coalesce(\r\n                            extract(@'(classification|cat)=(\\s)?(.*?)(,$|;|$)', 3, AdditionalExtensions),                            \r\n                            column_ifexists(\"DeviceEventCategory\", \"\")\r\n                        )\r\n| extend DvcHostname = DeviceAddress\r\n| extend EventSeverity = LogSeverity\r\n| extend SrcIpAddr = SourceIP\r\n| extend SrcHostname = SourceHostName\r\n| extend SrcUserName = SourceUserName\r\n| extend EventMessage = Message\r\n| extend FilePath = FileName\r\n| extend FileHashSha1 = FileHash\r\n| extend OldFileHashSha1 = OldFileHash\r\n| project TimeGenerated\r\n        , EventVendor\r\n        , EventProduct\r\n        , EventProductVersion\r\n        , RuleName\r\n        , RuleNumber\r\n        , Classification\r\n        , DvcHostname\r\n        , EventSeverity\r\n        , SrcIpAddr\r\n        , SrcHostname\r\n        , SrcUserName\r\n        , EventMessage\r\n        , FilePath\r\n        , OldFileHashSha1\r\n        , FileHashSha1\r\n        , DeviceCustomString1Label\r\n        , DeviceCustomString1\r\n        , DeviceCustomString2Label\r\n        , DeviceCustomString2\r\n        , DeviceCustomString3Label\r\n        , DeviceCustomString3\r\n        , DeviceCustomString4Label\r\n        , DeviceCustomString4\r\n        , DeviceCustomString5Label\r\n        , DeviceCustomString5\r\n        , DeviceCustomString6Label\r\n        , DeviceCustomString6\r\n        , AdditionalExtensions",
+        "query": "CommonSecurityLog\n| where DeviceVendor has 'OSSEC'\n| extend EventVendor = DeviceVendor\n| extend EventProduct = DeviceProduct\n| extend EventProductVersion = DeviceVersion\n| extend RuleName = Activity\n| extend RuleNumber = DeviceEventClassID\n| extend Classification = coalesce(\n                            extract(@'(classification|cat)=(\\s)?(.*?)(,$|;|$)', 3, AdditionalExtensions),                            \n                            column_ifexists(\"DeviceEventCategory\", \"\")\n                        )\n| extend DvcHostname = DeviceAddress\n| extend EventSeverity = LogSeverity\n| extend SrcIpAddr = SourceIP\n| extend SrcHostname = SourceHostName\n| extend SrcUserName = SourceUserName\n| extend EventMessage = Message\n| extend FilePath = FileName\n| extend FileHashSha1 = FileHash\n| extend OldFileHashSha1 = OldFileHash\n| project TimeGenerated\n        , EventVendor\n        , EventProduct\n        , EventProductVersion\n        , RuleName\n        , RuleNumber\n        , Classification\n        , DvcHostname\n        , EventSeverity\n        , SrcIpAddr\n        , SrcHostname\n        , SrcUserName\n        , EventMessage\n        , FilePath\n        , OldFileHashSha1\n        , FileHashSha1\n        , DeviceCustomString1Label\n        , DeviceCustomString1\n        , DeviceCustomString2Label\n        , DeviceCustomString2\n        , DeviceCustomString3Label\n        , DeviceCustomString3\n        , DeviceCustomString4Label\n        , DeviceCustomString4\n        , DeviceCustomString5Label\n        , DeviceCustomString5\n        , DeviceCustomString6Label\n        , DeviceCustomString6\n        , AdditionalExtensions\n",
         "functionParameters": "",
-        "version": 1,
+        "version": 2,
         "tags": [
           {
             "name": "description",
-            "value": "OSSECEvent"
+            "value": ""
           }
         ]
       }
diff --git a/Solutions/OSSEC/Parsers/OSSECEvent.txt b/Solutions/OSSEC/Parsers/OSSECEvent.txt
deleted file mode 100644
index dfd0f5ab268..00000000000
--- a/Solutions/OSSEC/Parsers/OSSECEvent.txt
+++ /dev/null
@@ -1,50 +0,0 @@
-// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
-CommonSecurityLog
-| where DeviceVendor has 'OSSEC'
-| extend EventVendor = DeviceVendor
-| extend EventProduct = DeviceProduct
-| extend EventProductVersion = DeviceVersion
-| extend RuleName = Activity
-| extend RuleNumber = DeviceEventClassID
-| extend Classification = coalesce(
-                            extract(@'(classification|cat)=(\s)?(.*?)(,$|;|$)', 3, AdditionalExtensions),                            
-                            column_ifexists("DeviceEventCategory", "")
-                        )
-| extend DvcHostname = DeviceAddress
-| extend EventSeverity = LogSeverity
-| extend SrcIpAddr = SourceIP
-| extend SrcHostname = SourceHostName
-| extend SrcUserName = SourceUserName
-| extend EventMessage = Message
-| extend FilePath = FileName
-| extend FileHashSha1 = FileHash
-| extend OldFileHashSha1 = OldFileHash
-| project TimeGenerated
-        , EventVendor
-        , EventProduct
-        , EventProductVersion
-        , RuleName
-        , RuleNumber
-        , Classification
-        , DvcHostname
-        , EventSeverity
-        , SrcIpAddr
-        , SrcHostname
-        , SrcUserName
-        , EventMessage
-        , FilePath
-        , OldFileHashSha1
-        , FileHashSha1
-        , DeviceCustomString1Label
-        , DeviceCustomString1
-        , DeviceCustomString2Label
-        , DeviceCustomString2
-        , DeviceCustomString3Label
-        , DeviceCustomString3
-        , DeviceCustomString4Label
-        , DeviceCustomString4
-        , DeviceCustomString5Label
-        , DeviceCustomString5
-        , DeviceCustomString6Label
-        , DeviceCustomString6
-        , AdditionalExtensions
\ No newline at end of file