From 543d7bfb2023db8f07d38230fa36f1d7e0f130d2 Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Mon, 11 Sep 2023 11:37:42 +0530
Subject: [PATCH 1/3] Repackaging - Claroty (MMA to AMA Migration)

---
 .../ValidConnectorIds.json                    |   3 +-
 .../Analytic Rules/ClarotyAssetDown.yaml      |   5 +-
 .../ClarotyCriticalBaselineDeviation.yaml     |   5 +-
 .../ClarotyLoginToUncommonSite.yaml           |   5 +-
 .../ClarotyMultipleFailedLogin.yaml           |   5 +-
 .../ClarotyMultipleFailedLoginsSameDst.yaml   |   5 +-
 .../Analytic Rules/ClarotyNewAsset.yaml       |   5 +-
 .../ClarotyPolicyViolation.yaml               |   5 +-
 .../ClarotySuspiciousActivity.yaml            |   5 +-
 .../ClarotySuspiciousFileTransfer.yaml        |   5 +-
 .../Claroty/Analytic Rules/ClarotyTreat.yaml  |   5 +-
 .../Connector_Claroty_CEF.json                |   2 +-
 .../Data Connectors/template_ClarotyAMA.json  | 116 ++++++++++++++++++
 Solutions/Claroty/Data/Solution_Claroty.json  |   9 +-
 .../ClarotyBaselineDeviation.yaml             |   3 +
 .../ClarotyConflictAssets.yaml                |   3 +
 .../ClarotyCriticalEvents.yaml                |   3 +
 .../Hunting Queries/ClarotyPLCLogins.yaml     |   3 +
 .../ClarotySRAFailedLogins.yaml               |   3 +
 .../Hunting Queries/ClarotyScanSources.yaml   |   3 +
 .../Hunting Queries/ClarotyScantargets.yaml   |   3 +
 .../ClarotyUnapprovedAccess.yaml              |   3 +
 .../ClarotyUnresolvedAlerts.yaml              |   3 +
 .../ClarotyWriteExecuteOperations.yaml        |   3 +
 .../WorkbookMetadata/WorkbooksMetadata.json   |   3 +-
 25 files changed, 196 insertions(+), 17 deletions(-)
 create mode 100644 Solutions/Claroty/Data Connectors/template_ClarotyAMA.json

diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
index a21620417bb..7ea4837ed40 100644
--- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
+++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
@@ -199,5 +199,6 @@
   "CortexXDR",
   "PingFederateAma",
   "vArmourACAma",
-  "ContrastProtectAma"
+  "ContrastProtectAma",
+  "ClarotyAma"
 ]
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyAssetDown.yaml b/Solutions/Claroty/Analytic Rules/ClarotyAssetDown.yaml
index fda28649f60..d8f500846a8 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyAssetDown.yaml	
+++ b/Solutions/Claroty/Analytic Rules/ClarotyAssetDown.yaml	
@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -26,5 +29,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml b/Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml
index 17966824c6e..9316392b866 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml	
+++ b/Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml	
@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -27,5 +30,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml b/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml
index 44c82d2ea82..bc7705b768f 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml	
+++ b/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml	
@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 queryFrequency: 1h
 queryPeriod: 14d
 triggerOperator: gt
@@ -40,5 +43,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SrcIpAddr
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml b/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
index 693af5e0d9c..69c4293a38d 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml	
+++ b/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml	
@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -31,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Name
         columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml b/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml
index a645a857b83..e820f3bb253 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml	
+++ b/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml	
@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -33,5 +36,5 @@ entityMappings:
     fieldMappings:
       - identifier: DistinguishedName
         columnName: SGCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml b/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml
index bc602bb9aee..cfdcc288ee3 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml	
+++ b/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml	
@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -26,5 +29,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml b/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml
index b6071c88ebf..d4b6636dfdc 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml	
+++ b/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml	
@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -26,5 +29,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml b/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml
index 4bdc8dbd421..a5c9cab642f 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml	
+++ b/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml	
@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -26,5 +29,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml b/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml
index 2236e16e04c..ec54e0d2aca 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml	
+++ b/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml	
@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -26,5 +29,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml b/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml
index 54d3cb991d5..983fcb6ec2f 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml	
+++ b/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml	
@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -26,5 +29,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Data Connectors/Connector_Claroty_CEF.json b/Solutions/Claroty/Data Connectors/Connector_Claroty_CEF.json
index 92a32bd9318..d6dcc9725a1 100644
--- a/Solutions/Claroty/Data Connectors/Connector_Claroty_CEF.json	
+++ b/Solutions/Claroty/Data Connectors/Connector_Claroty_CEF.json	
@@ -1,6 +1,6 @@
 {
     "id": "Claroty",
-    "title": "Claroty",
+    "title": "[Deprecated] Claroty via Legacy Agent",
     "publisher": "Claroty",
     "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
     "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
diff --git a/Solutions/Claroty/Data Connectors/template_ClarotyAMA.json b/Solutions/Claroty/Data Connectors/template_ClarotyAMA.json
new file mode 100644
index 00000000000..69365d5c5c3
--- /dev/null
+++ b/Solutions/Claroty/Data Connectors/template_ClarotyAMA.json	
@@ -0,0 +1,116 @@
+{
+    "id": "ClarotyAma",
+    "title": "[Recommended] Claroty via AMA",
+    "publisher": "Claroty",
+    "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
+    "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "Claroty",
+            "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description" : "Top 10 Destinations",
+            "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n    | summarize count() by DstIpAddr\n | top 10 by count_"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "CommonSecurityLog (Claroty)",
+            "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": false
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "write": true,
+                    "read": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "action": true
+                }
+            }
+        ],
+		"customs": [
+      {
+        "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+      },
+      {
+        "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+      }	  
+    ]
+    },
+    "instructionSteps": [
+        { 
+            "title": "", 
+            "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+            "instructions": [ 
+			      {
+                    "parameters": {
+                        "title": "1. Kindly follow the steps to configure the data connector",
+                        "instructionSteps": [
+                            {
+                                "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+                                "instructions": [
+                                ]
+                            },
+                            {
+                                "title": "Step B. Configure Claroty to send logs using CEF",
+                                "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
+                                "instructions": [
+                                ]
+                            },
+							{
+								"title": "Step C. Validate connection",
+								"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+								"instructions": [
+									{
+										"parameters": {
+										"label": "Run the following command to validate your connectivity:",
+										"value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+										},
+										"type": "CopyableLabel"
+									}
+								]
+							}							
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]    
+        },
+        
+        {
+            "title": "2. Secure your machine ",
+            "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
+        }
+    ]
+}
diff --git a/Solutions/Claroty/Data/Solution_Claroty.json b/Solutions/Claroty/Data/Solution_Claroty.json
index 03a77df2ce7..6653e2e5384 100644
--- a/Solutions/Claroty/Data/Solution_Claroty.json
+++ b/Solutions/Claroty/Data/Solution_Claroty.json
@@ -2,12 +2,12 @@
   "Name": "Claroty",
   "Author": "Microsoft - support@microsoft.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of  [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\r\n  \r\n  **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n  a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\r\n\n",
+  "Description": "The [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of  [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\n\r\n1. **Claroty via AMA** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Claroty via Legacy Agent** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Claroty via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
   "Workbooks": [
     "Workbooks/ClarotyOverview.json"
   ],
   "Parsers": [
-    "Parsers/ClarotyEvent.txt"
+    "Parsers/ClarotyEvent.yaml"
   ],
   "Hunting Queries": [
     "Hunting Queries/ClarotyBaselineDeviation.yaml",
@@ -22,7 +22,8 @@
     "Hunting Queries/ClarotyWriteExecuteOperations.yaml"
   ],
   "Data Connectors": [
-    "Data Connectors/Connector_Claroty_CEF.json"
+    "Data Connectors/Connector_Claroty_CEF.json",
+	"Data Connectors/template_ClarotyAMA.json"
   ],
   "Analytic Rules": [
     "Analytic Rules/ClarotyAssetDown.yaml",
@@ -39,7 +40,7 @@
   ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Claroty",
-  "Version": "3.0.0",
+  "Version": "3.0.1",
   "TemplateSpec": true,
   "Is1PConnector": false
 }
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml b/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml
index ec3ea9b5ad7..46d6a2c13a8 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml	
+++ b/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml	
@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 tactics:
   - InitialAccess
 relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml b/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml
index a32ca641ecb..fabacda0da9 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml	
+++ b/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml	
@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 tactics:
   - InitialAccess
 relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml b/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml
index ea6ef0125a8..f62556d4420 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml	
+++ b/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml	
@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 tactics:
   - InitialAccess
 relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml b/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml
index 46d62ce29ce..629cbfbdb07 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml	
+++ b/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml	
@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 tactics:
   - InitialAccess
 relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml b/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml
index 55d81c920d5..87f0c37005f 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml	
+++ b/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml	
@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 tactics:
   - InitialAccess
 relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml b/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml
index e856a58babe..7ff4129e235 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml	
+++ b/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml	
@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 tactics:
   - InitialAccess
 relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml b/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml
index 4896246a9d0..d57bc40237a 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml	
+++ b/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml	
@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 tactics:
   - InitialAccess
 relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml b/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml
index 3529be3fb98..7264df96b45 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml	
+++ b/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml	
@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 tactics:
   - InitialAccess
 relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml b/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml
index bd809e64beb..7c0d17659e4 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml	
+++ b/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml	
@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 tactics:
   - InitialAccess
 relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml b/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml
index e342935dce6..8a3968bdecb 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml	
+++ b/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml	
@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: Claroty
     dataTypes:
       - ClarotyEvent
+  - connectorId: ClarotyAma
+    dataTypes:
+      - ClarotyEvent
 tactics:
   - InitialAccess
 relevantTechniques:
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index e0153c21a03..11c1148e0f8 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -2857,7 +2857,8 @@
             "CommonSecurityLog"
         ],
         "dataConnectorsDependencies": [
-            "Claroty"
+            "Claroty",
+			"ClarotyAma"
         ],
         "previewImagesFileNames": [
             "ClarotyBlack.png",

From b71803e7eb8ea74a8898dabcc936ec6e223a4c86 Mon Sep 17 00:00:00 2001
From: Github Bot <noreply@github.com>
Date: Mon, 11 Sep 2023 06:18:47 +0000
Subject: [PATCH 2/3] [skip ci] Github Bot Added package to Pull Request!

---
 .../Data/system_generated_metadata.json       |   34 +
 Solutions/Claroty/Package/3.0.1.zip           |  Bin 0 -> 18406 bytes
 .../Claroty/Package/createUiDefinition.json   |   37 +-
 Solutions/Claroty/Package/mainTemplate.json   | 3325 +++++++++--------
 4 files changed, 1922 insertions(+), 1474 deletions(-)
 create mode 100644 Solutions/Claroty/Data/system_generated_metadata.json
 create mode 100644 Solutions/Claroty/Package/3.0.1.zip

diff --git a/Solutions/Claroty/Data/system_generated_metadata.json b/Solutions/Claroty/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..a8a795d3ffe
--- /dev/null
+++ b/Solutions/Claroty/Data/system_generated_metadata.json
@@ -0,0 +1,34 @@
+{
+  "Name": "Claroty",
+  "Author": "Microsoft - support@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of  [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\n\r\n1. **Claroty via AMA** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Claroty via Legacy Agent** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Claroty via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+  "Metadata": "SolutionMetadata.json",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Claroty",
+  "Version": "3.0.1",
+  "TemplateSpec": true,
+  "Is1PConnector": false,
+  "publisherId": "azuresentinel",
+  "offerId": "azure-sentinel-solution-claroty",
+  "providers": [
+    "Claroty"
+  ],
+  "categories": {
+    "domains": [
+      "Internet of Things (IoT)",
+      "Security - Others"
+    ]
+  },
+  "firstPublishDate": "2021-10-23",
+  "support": {
+    "name": "Microsoft Corporation",
+    "email": "support@microsoft.com",
+    "tier": "Microsoft",
+    "link": "https://support.microsoft.com"
+  },
+  "Data Connectors": "[\n  \"Data Connectors/Connector_Claroty_CEF.json\",\n  \"Data Connectors/template_ClarotyAMA.json\"\n]",
+  "Parsers": "[\n  \"ClarotyEvent.yaml\"\n]",
+  "Workbooks": "[\n  \"Workbooks/ClarotyOverview.json\"\n]",
+  "Analytic Rules": "[\n  \"ClarotyAssetDown.yaml\",\n  \"ClarotyCriticalBaselineDeviation.yaml\",\n  \"ClarotyLoginToUncommonSite.yaml\",\n  \"ClarotyMultipleFailedLogin.yaml\",\n  \"ClarotyMultipleFailedLoginsSameDst.yaml\",\n  \"ClarotyNewAsset.yaml\",\n  \"ClarotyPolicyViolation.yaml\",\n  \"ClarotySuspiciousActivity.yaml\",\n  \"ClarotySuspiciousFileTransfer.yaml\",\n  \"ClarotyTreat.yaml\"\n]",
+  "Hunting Queries": "[\n  \"ClarotyBaselineDeviation.yaml\",\n  \"ClarotyConflictAssets.yaml\",\n  \"ClarotyCriticalEvents.yaml\",\n  \"ClarotyPLCLogins.yaml\",\n  \"ClarotySRAFailedLogins.yaml\",\n  \"ClarotyScanSources.yaml\",\n  \"ClarotyScantargets.yaml\",\n  \"ClarotyUnapprovedAccess.yaml\",\n  \"ClarotyUnresolvedAlerts.yaml\",\n  \"ClarotyWriteExecuteOperations.yaml\"\n]"
+}
diff --git a/Solutions/Claroty/Package/3.0.1.zip b/Solutions/Claroty/Package/3.0.1.zip
new file mode 100644
index 0000000000000000000000000000000000000000..fecd10ddf211cdfc2a197bdbb7ba7bb706f0259a
GIT binary patch
literal 18406
zcmY(qb8v0X(}x?|wv7|pwr$(CZQHhO+jer|<ivJz^ZmWIZq@x`&+J;$>r>s&%yg|;
zySKa)FbE0&000Dl3L~{z0EuRh0t^6vv=jgU`tMaEM-u~Q6BP?#6H^OY3ug;E+dr00
zcD7gA7q(mMXy18d1l`cXa5NkeTj$aZIRWI9reNZxoidywM37LLg|xOL3Z#@>wru^q
z3%yIc6S+c?jU-bNoDG+@u71rC6uPs=haCx%r?`TgeyY0tM4KK0oB^v5o(vf4Xl#WH
zIrZTqn<aUQ6WVgZ8(b{wZt&Ye<O$Z38`kzDm@Ai8bYs@jMztN`J4?*VpD*KIT}XF%
zoIcuA`3?At5mGsha!{nBo4A=3QpoGQN@S?gK|a({8*Pv&%!XL+{9$wRKsLGIW8R9~
zLeOeAujEud=GaT}4Zh!o!l*CG71Ygd(jJNAoLY}`+?fcZJ!xqn>LfWG$hASv$y8(p
z95ICg1sHgjKeL$3_vs<P@kj{l?1;z(mt8M!Txv4pX}FAsy>R*gr*nyMw;1%ikj{6X
zUnbs|H&<U&%w7#`V!L_Z(u_z89GDD_4!BVo((Q_rN@_dV!k(~}O28>KMZ)PsLX(fJ
zIbI|Nic0cI+=QA4xb`Bmjj=w7!O>KrB-l(AdQA{$IMC`@W0Fhs!2#D^Bybc&=wgH^
zf^+E1?yUn5rDBdq5YzlnHA&h?!6VKnjG#_(>5RA|uX{hA=+o5oVpNJEv%tdO9AF_{
z>m?qv6UpKwW6S+znU($wHDJ07QAIN}v3YX`?wdD={v;jjMtJ36-3EvdSui~5!Yp)y
zMtmxoj#!+#-XO0-3EFeul8bl-O8U?qfCID-{{p9vOuYXl_Vh?w8c$MU=E4c|!PP@%
z@^3=Q;{qoTH28-=%BD|&JEy|Kj*w_s!g(Y2V`7dnXIuHRdXOKrNS2R@S4I~Ks4!$9
z1_?P*=_d_d4nY#7XVX&|Ar(ZPix+n`ujdp^fDSqmRwJA`78!aK%||~`@N<l}J8`qR
znhSeT#Dz4I1QF^xd#ljE8FGj=;2axnY)u(^sHYu6X35*xN^FJ83w7zY5VJVWJm1)z
z*4h8CI;LMyWCG?b>o@#epW)E52NV^@M8aAnYx4I3Ob?ST=!eIE%?m($>Ysf#W(FUC
zU4ry*oF@<a2$TEZC%Oiuw~H+2FD{T1#=$a5Qh*#X9R(vap?9HSR<KBffMn`Cs!5oj
z>>l!{hrccEmkye_2b$-;Gl%){w?$#PTOv8iHNh3DkJDUC#Jvp$a>i61%q`(oZYzo&
zk*)lv4(!c=m?y5^nMPR*MH<q{aT&y{tF%7z{05MxutiK*i%#1SKaqtZoocZ=_MEr0
z?tfNCnZ)fE5T!$NRc%sLZ`=(F&H>DG58ucwWm}s@>t|wb@a?nz#Q7Ccr*vL^d5NZr
zuzPI!*n*;Ttp)F;@Q;6T_Ji$~R5a*cGXxsgNMi}9T1?SCU4vj-8Ca9ITZKSk9Zx<2
zojLLKN|K5xJ(kuE`ZLsv^q2#MX{FLXH<eFcB_tIJ8sQ7Wz_Xx2jfxhd<RPED42%P_
zYhs#v%6H?@@!$ZD6=NC^<16q>5KZe{K`@g++sSR`Qf-IZbPwqzap&5hykhYr&g1%|
zk;@e^TNwQAWk%YWMy2nJnU3%@M}p*oQVdsiM(F4q7-(n>(X3qZYODv;SC=qGEHWIQ
z9uxzUc!Yfpu>-Er;5d))eLSpMP<j491a$f%&>4=&2bob$hHm5$!S$1AIyqRf<x`Jr
zHwK1;vdd7K+_QWwM4h%%BCnor-<wLMgd6biVrO77pnwI_(=xSFR2aejO5i3O8aVT_
zR5ya^!LM&y$fuVb3cmSZE{)<(r0Un+rk|Q7zk2B9KUU3snr=-W6;}}3Xu{89iX>wQ
za;aQl&clM2JK_E$!J+)Yy|CYN(TWhHGZ(AOH$#rRU|mdjp(MgO*kj5te+u}0FkuK1
zgZR~}Mrj8>_bebRSuLZ?7h4c6H)rN|YJhy(PGuXs@{GSckB(o?Y8aMPb!cVvMKgMU
zeO}&4?5u*d;W?c<OcOH51@@L_>YF~^7AHR%9}XIuw#e6KqW>lBOv(N<8c|sIdNn~S
z>8T7v*q<c6NsZ={)P!tMx-_hJPF8~yb4}oi0@0cx4wQ=mtZX}V%uy8ca-D9*J7|f`
zvw9YGUQ}ZKGcAO}flUzK398<PIh}tKtG``)LL_S7t-r>%XVfMLbF+nhpqLtUZV5+C
zDx+a_p4bz%6r^+}_2@UR;FxMejE0zjsmGSa*@|~Z-5MhuV$g3)-ob=YPC(im#v=AZ
zF3kv@5j|$18eokBwZ+XgN_5N{#S@Ji1_O`MMnLvxQ$n1QIj=aly)I!MvqtEUSZM&8
zQRq@AX%W}gHU!O#s+P1dh8A!x%^1Z&479{ti1!QhWlt9L47H+VL63L{w^+_4FE)-6
z9y~P?|I2{P|D0kmXd<)S;BK+m*o>J3qIXXjRN*5A4epB&&Pv!CnijbLk*cKcE>PgH
z2`x}D0UFT83u%o3gGT<`A2)KARE9AvhbF+g-U%WMt$yndI1$pY4%>0Bxd52o%WI8_
z-YzKQwNXzia)%kvt}*FZUSmlHXpjc&j4)UAalFpnkR+#_^<o-B#QWK|vfa5t<2%Qc
z(IwdHS*sj#kh&{4?V0FOE-V#cj6eyv<00*%TpvqhF+0f#S^TnMFh=y}n1_uT*N@mi
z@8ljjlNCm*1!OBbvG!j9;OHVsV4QS$h1^E`o+mU)DXX_-L`eSpXfrj;na*plX@yis
zb#{E}=ab;UsIo6ht2^zgYS|gE#hLN-yugEj^^K>E?VsTwuc@2q)y|7AXaVEY`fuM6
zTTQZ>jP6n$7p|PDM{CiV)s`IQEdw)YEw+3Q5JY5EyanL&e~|}L*LAhg?++`oOIaW5
ztA)8s=2~Ggc0c(xHk#)Gtt|=dbWJs&GFojl6a^txGv`E%B68D(AcH2Q*RDsU{L0S<
zDH+OAU`~XiW7hOn7TT_?WjJ&yn!<eDTyDfSJTH2^Xh_KiDB8Vkr{%{>2Q66Z+Gkd5
z^}~chB?OPvsI$_ie5N+gnr%ilbEJ9F^+ZyzdKha!R@Xt*m+0na-{;$3EY2Vr059g^
zqRI^ja@F3f$ITXxL&~e^v^%pSoXV!~^QgH8Bl@e1rqFmc4*7p|+~d(IVkjRaprJ;V
zaxsSfF+WeQAJCZgyn8q5_#C*PaEogWT#PEeHiM#OS_wn4?=T#@1KF%IkMWN`d9J)V
zcUeZOHd@LqB<#gh+;5yHL&mdwzMW8k*>H3Crt9YUq<GpKcp1Ham4beKN3sReW2o0X
z_ii|P8+DViyyRJzBg<EJ8Wr7S-Ak!v8QdjHA!b1*Wi1{)pgq2725%2>i4$25sPXPy
zn@U?w+t^O|Yz0=%DyG=S9g<2w8I^kLlw=2<U0F)ezG64{2d*|Yv52#g(U>AJx^l<g
z&xkZq4ms6^hcZ!Zj6S~Wba~=BRjZ~K4ZDnS?fI}w*3fJ4dl*r1uiFWPot`W<(%LKA
z=B5L}PrtpiRdo`3y~g9RZgrh)^b)80$ail?qB70xUJ@a69q^QdSvZ&NdTJrEa>ab>
z-x#y18d|-us_C(GlpLn5h*k;vn1C)uvnMLJnHeaTp46roJ|&zGKxaz7@lapYR3|2e
zrASyI`2@EtMh`uqaY`9xwJBVFHk3eVhFo8*^D_fEb;A?$0Q3#KI`+_ipbWR{;U~Y0
z;neMCP5sPQwTJ8b!4Yfr;m*(K_6)v>9}noNlh2>y#F2X1cuh54YEkw@y2A`~v|6lY
zS^}UJ_F?tAV^*DLPuhQ&CoGEUv{5W$KWp+&rb2bfh)-y!=qpU8bcxw&Y*G;Q@p4R7
z+FpcBrbdp!%2T#$YtJ#~&2j5iH!GC*Mr|uowOou%r$Q~lrZ>0?xZX)l5VO%<q4com
zdJ#e0q_Xb))dALTRR*>LkoMKUS^RDvem?}2!A5<CGG|UnQXSl(RoTSmPilDW1I}c%
z{IWC3{7WAAH?8~)8uUVJI<@i(HeBLjn%8x2d6aT+3xkgqCI&%<pxt-a`W&JFkRerw
z@sJbX5ha>h#^v4JU}<t<glio4GGt8+pD@XPPvkDg589-gHphfn-+Z8SWTBCun!)f#
z#DBA*O_gsGwL*4r5`8|ZZXjn7pYKdNx<k411Dr1y4AT|=mccpCN8F<P9`VHL#QSZ-
z@OV>g>166OJM3O<E(gl!O{i_#=+1)E)k2;6V;HZ*qsgi10bl<AcM6GR<*iKP1OTWR
z2LeF+J%!j9SlB9?*w|bDo<;ue{NZ!%xGmax;>Rb#dNWK~Ar-GuuEV+_ljN#pAhC*S
z!9^wviVbRvx=;x;2@uJ=RTKMR_B}&9%{|n;<dewJp+7gQh#gg3OiY6`{&bW^J{Owg
z=N&S?`*S;^#m(}pTiCNjkp4y|C%c|>Sh0^`#62QwZ~bX>y>GOXbMN*Yv1<<3EUIP2
zEJwqg)ec|0jhZ`4Ch8yebKN!DcZHkqEVBmrcZF{K!DfwchdB=Wi0|1m5_pIaXz>UC
zmW`X?WT56EA<)id$;rnJg#h;LVPpC!uupo(%$T_ua&s)%`6fv+?b;ZRUykB$kO1+T
z&?)keQ&1QW#ZSmH7ZW$|d#J()kDT@r#5%zSvO600G`+<tJogsn1KdQr%_*$w=m2fE
zwWu5|H{(gtUvwkJvKC&?b+^;ph@XEQ4;usf4(lUj!crPgx2fJsO=jNgUN_qSGd|Y1
z1^e9maHD9g@_!36_CLmNOEnR^Loq)9-?y-LLtH&BX30~*R9fsBo`d!^N}*T2U8Cpg
zFg9ZG^@oUR3jd-N_3d=+n)#Wgt3!jou{rx$WwnhzCxq~Pz;)tyTqmRXIfWKNd3mqv
zo%QLx79MR?39iwAS}mRv_rr2>t^fFsp@94`ycPBhkFuBWE(WZo2Lu9y%ur{Scjq1;
zd$akW0Gk}}ef9mhy;YhhPI5|_lZdRPa{6Mqgyx_ZgnD4R#>n9qJtC}^!B>U%!Wii~
zLwXLs`U|Ncj}QKk;SDFW_O-n%-W5fo*}f&|D#daX=0sc$9hQpe-duG9GshZ=oV~uh
z-`UqHZk3$ymJJtOW3iv7sjkeVbhy_g(RRo1?^vJDx5*FV`kY5U{yBKDBHUs}cq9>a
zF)X6Buy?PaWqh91H&4HwR=;khzJHt7EhmA;*M>!8g{dw{NTOR3CY%O?+fCoEeV4=N
zI<XZxlI$Y^CFu#X)!#2H(0CI6HPqJz*Zr>U1Mxb}FVi6ITFdAj%QD&y_=jY({QDbG
z^7`%!)cT${+58wO%V`b{uaHc!h-il7gd~gW7)S6u8L`x#XurXWV~8w3f@uPh)QM}8
zk1~DpTS3EShOy<VsKe-obu1beM>*@ez!(XqZ$?}YAt@pX`G#jLGYc{E)g1VcNfws4
zgC~v?mht+l$Y*N1tdD^8Q;OAlH?*0v#xns2+Nxx+S;Mcf1@<(TOs@Oqarl}OScA6D
z!{zN{MT)Ji`Ymwr_(N^eW_?g;yU%mso0d!(P^9rgZEy9fD(yzE=j3}Oum5|6`g#w>
z!~dE0nJ9Fc4TDIC|K_|aTsWif*eVapweZ=u_9tHCPh*R$H*oN`l(l>Q6RLGHiU~<k
zhXg#i8lg{bgISzo{Y-aZ%m5e}*TTBixk749w*QEm+pReApx_^lWAG%>7pmB)jJ8`>
zqlbx`rq6ySY#NzK<_sYge#x_X|M=y;P)XrZ`#V_)8+b)-C&QzzZS?3@1q2^H8o_4!
zzY{UkWG7>Z9c87mV@P=q9E@_%n2U8Pv+tkoY5`v#`-AK72B~6w;o2OZW(>KyC_&V3
z_$SEOJD@TOgiI~&#8pvRSEg!K%}=FZea<XHSa8jzeNkLFu?tqr?}$9dGb9WIe_H79
z9Pd=83_h&`d;FK7+vH4dCf?E9zA3!sDY#XNk;M-*<;^Lrv7;WI#z%!m6T#c9IXU8^
z^tGX!d$8s$8UhyZTebWhs^J?}ZQ(;T_13&H7l?nFw`K}#QGj{KSE8gO0&44U&pcJ~
z?S$*p0nR*O^XUrdtTE1rTm(Q474zFF0dvrXc&yCfW>Q(LpT#u0w*Hw5^_W@qnD%j;
zrPo~RFVlc|Rw2!6{o1a=J*ukYx3!|2)nM`4+3?M4t@!U!fqHiR=gM<E6HcpWsi`YC
zYz@!9=9Yj3;@I)pU2Bb<0sZwqV4ht_^IN|fYjBUQzZz{QXIH-(c6{?&zZ!o)J<G7>
zH5ioaSg_rTS-^$<o|Q5H#qwI4i*DgOY6Ye8GIEaa-zWolia|ZjZU*dD{C258Jxai5
zIalES-OE+Nf1?V_NxRDOG*G`~ZAo?w*UU=qXv2;L!)%SUv#KBL;G_)nXiJ*!_G?*-
zd$v=_e`8BI-^Jp;yW^YhRt4Cj1@)-QlD}kFQ&5X-+Eun6YHN7~r@w9f1XHtw4cmze
z&E_Sf4fCi=n*UPFe^Y~d*7GZ2LpksDE3xI9|56FqqXzZp`=3NmfB~#1t&$bXCctCs
z#zM5MQ*leQsogTZ>$_*uaQAv0$YU?c*;fm2j~?pT7cHn~AK3iI7W{uVzeok}mV-HK
zRvX1?<`fuM?C8dgpLt4Mz(3}$f;fP^h!$Oo(*eHcBh7;==EMKah=58y{O^neVe#Wz
z^UZ^=`14Y@VX#nnMw@r&Rz+|T^qBV`{zhU@R0RumRk{i&qC6HO>c?)K(jJYq;w=i>
zu~gpRTc=RexK-Xz;$Egye#vfW&37;nOw|#~h}@Tx)W3V@H{0++0E;S)Ch5i2CDg-X
zi5a?Tt|?SwbMEh6wFNNzLTjb(%+C=c^Y7j?(H}i+6CJ+8_ehpin_NOeW9^_9e?-jl
zLkn@W1X)~A=XXKlpI_NQ6Muyb%ir^-&5(sTA%;sC<i-smKZ`{@Vb}C-T(vbTYylbc
z><w?`+qkwY<S(?me~s1$%owJhY8M|UDyE}%h^qlP^-xW-9T4gOoM^yXAWoy-#oMBt
z5P?@f442T`sRVJ*nm%UrPjA`OEZ_l5V*~$E1oyF7zrYUNJ=YB7pbGVv6`=Y<8sd=<
z<V^Z|L&%%xXAyKi_XR#};2Y8R!pxxd5guwlJIcwGCB4}QXU?_$`n5mfrlr-@b^b{7
z`4=li@s7b5V`t8<TiZqd=a!fn(1WW=y4^5WC%|;m?gCLd-2v_n&9um@!hccjR)9Ha
zTF+m$bY2<AErD|mc#bW?AYCuouxarWv0S=@lG4v{h>esK)6+S|)`FbmRMPK-+c^WK
zoB0%p(CZDeb!wzXX%`V8qz!g!!JcfhY}#VxfUP=jWBOa$B8u*kGeqYolrhYE4H-nt
zCpyJMN=X>#9%1P~PIsvo^diok0nyKSibm=8hMPGz(W7&SiV*w>@u<U^wrJqJW}&fS
zp4aT$SlkS?umE;qpXUscty{2c)2e~{^9zgN|6m#Y!n*k%tiu0bq5lWV_kXa^{s-&J
zlD=$&W*Z|zRBG)#2eH4~D5lw0ZVW5@B*+)ot-5#RKk&5wr=|6umfA1)?*D0_{->q;
zKP{C1X$AeKB^tWI682TfN{@v*I1|=C!zDCxmZ7tQaqgpkKJtr8<o|F*{^APy50~8k
za25WCi~N7M3V(5Rg<-AO&rY_y`}i<p#WvU0zO=B~#xfhNgO}Pqfrak2M30)Q9}rA-
z2$PN+{V60$JG1l_j+vA#jByu6ze6(NDGaeK6yYw!enyVKDHLQkJHdU<&3OP~dM1aS
zW0zh?&9kYcLFzefI&}J=lKw^^eGc64E=Haut*y*{)j#QQYX$wvwpSEk0Le}zVb?b$
zPyBNZ+cSc6V8H~xxADsRXX3$pA}Q#|Rk3?dfr@TtS8RWD{$ScT!V@jmVC>${ktlF}
zEH2N3G&s+|mvxlmPcn!=w%L^uGp#x{hN?b!qxao;DN<O-8!JRX0;VF?&eniUHuh~S
zErDd|bYYAP>=vXN=?bi-*W_?HzHBMTcridE&rsf?P4NScuS8E2)>Pl*P08(P+_Ij8
zJ>A$#5(I@@Zps;78*G+l5$R^ALJVoU0H>LJ?>T6jrSebHmAvVv+NJ&+tDkQU9Z`TE
z5{tDv-vf&LprQQytVvTBVyX9(;v5{A^#C1xJO)`%jhsQCjI$Z`87v<52{0%2P-Dba
z`b-$|R^N!OVNs+M8S9hQ(1&%$OLD7P8-~vjDj#leSN!Q!QP(wn*WDY@J99$5#dLH5
z4<JM$N`k#(!g2;a<g&Hd^{kJx%Y^|kKYG14Gh%Ujl6jWAet$6isckhXZGMfp>iQ%h
zBM!7r@$J|daBgRR(5$q1Kf2rBrNm4zDN8U~NTneXt!Vhe(1FtjF1#oS3-#0)`ftD=
z);6BWvR)Q{UOZyTiHD3*Og;ewdvV}~Xc}|#*L6cV-|P>1|C`g;3C7w^W&vVG?_j^M
zBpCky-d^{FY5Ru*5pKCdCVFWE@wf7!>L{#>Q~C_=WP2&|=(}qz1KBD0@_1?AOUx!M
zBJ2&IT(s}-R>&IIE(}+r^uW7G*l0*%)W7&i!{vjr7AugUHu@?1*=VH6B?nrC%q5$-
z^`qzmOLBt~A7D6)?)w{NaI4gAp_#DjSiJJNjg8#I(f_{5GUr-?z9*WJHhT{fm)PCe
z+i!!`nwX~U;r4kxKat-a&QaQz`1Jca33l*s3ip8{BNtSGSTWpXqqb?Js2VHP?0ISU
zOK%Cd-O7~KAmi8*6QBI$zUu+VLh<9L_3_#BgW2_+A^j2`I~vO{atbT%J^<fR@bH5f
z@J*|Z%4H+*|46aSGF)<{-*QZ2`J2-458UeeUOh0e76&C;yKx^^w-aj?V*%~~d>K>-
z-m4XoW>ffu2^0?77wEQ@sEuQEf!BnR7BJ2`OZ>xj3+34#%Q&hhmnNVO<j_biP0#dd
z{mGS*rdt?Ke^r;ijCy4s+g*P4nS?C<3Nt(Q`Xh~6oe4uA{SIlRmbzDbD*^vC_$+|p
z*ADa)-h7>Kxqj5%OYSck5jgHod(^<RjFiWgv2b5H1WY1nuA;ogwxjX1xNpC!rVgbW
zG7Aj_x{EWVB^r&SGO6JnScFyrD$-s$XJS)_0ZaZ(Tb=hr?5hrjA;IpyJ+vvDSFoVm
zXqlSF6@pIm-H?2dYBd`HV;a1;1cIF#RQd;nE%cgOoLN9KR)oC#9KWnlGEd$o=}Rx@
za18A3D%d=g9?M-q*x?E<8Tw`Shs_Pc-?eIlD#FGBz!~<PT^nT9q*$9P5jJUxEDBKW
zReLyjWIN7y@#VxBA`LK?mQKIN^X_0rPHnHp`woZ)yFlA}IKn_aMYg^}03lDF%to;%
z#a!jl6==TCR}AGT7@(Ak@a=N}7>7SR!Yq6i#|OR(c)2_1;ii{QI1T<Aq_~ChOnsO}
zWGm##$<7_k!X<KebG60ks$1}8yPs9!W*%o}+j!xu2FN%ZuP3%2+;9M2C|W-PqOTrT
zGgXI;-&~_p0KkSI7Ui%yJhVARJj4!<%>XZ%6@Vs*qN?AM{jD_A0~(oTz3PpW(kgmE
z%pXM(!x24X0L59KrH>DwB+x4wx7D6Et^BYGXB-G}6KcE^l8YHO3}O2?rX8*US_aYe
z+Ir3f;)6%fEZ8bhplhB5#^+#`RxeQFo|vbya!E&w&~w5X(3enrf+8Cv99<*Cc!|Mh
zw^3=pb#$5;d4Z%y@NEaB1~*&26~Eu}77<8@$ZN!l|0pwP**Ag}QMoWDe3e`HgQ0U0
zG2rK9X-vUtp5dx;$-1cO;l=xgC2m3Mkm-_`)iCJV+1YB_;PIQV-6hAoa$os`mk>B(
z2;$x0W<u`>4KsaEirL78*%s#{=WOiEPq0c!zpmQC{~dP$TCuS|fUj+P$l6b&%<>(C
za(Bf9qNoP4ww02GFR<pNO6KN-;yNQOPWEoiu}Q3Q&}$Bi_5yGi<SiA-FBnU<lxN<B
zzK8vAXdAJPkm=t@Sr9{(4BkE0l}X5*7}W`$hK4iWDBz;6AQ|4yEndAFw-^6D;6Kcl
zF{AtwZ}zwcIwi;$N6cqG+HGKRrFpalx5P=Q>%4vnxkjGPkG>^9d;633pQ1a^uZ2%V
z(S4xRkyC7{{nP8qfc20)c}w)wL<!X+vFdHKl|(^;2|kXc12I;vbD`Q1n%j$b_F3Xy
zanIxK*uSxN$m*?W!5aOyyO?gz={WxW!hv1rbnEg0r4Jdj7#+l+<45HIOB_y<_WnD!
zLysd-KkQA_=yYd?s|+|e-6HOhyZayU5a_J~TmTGncs#++$5NMo<U#j!dwuQ>AV0m}
zaFc$(8?zx-04d|FcSCS{jJ{JN#O_rCLg~2p!XFqpd!4m%WuVmvQ2oqzH?Hv*nD{9p
zVx(pPca4MD3epGjCH%|O2=0&*U+ME!8hbaC#05#>_r{DM`oOIsXvz0a#RE})IL@+V
zPu@w1+;<Hhm>M?(m+qKU;<G{zlql?&j_^c0pS$7y5&#OuGsRMddIHNB0E5_*Ahq#v
z{TmWUfUX8Y=quHBfr$J2+D%&1I~zUe5M*vFHjZ4s>OM)xVy>3#Psiqfw8Wdr5f(N4
zFH+3Dz+dg~tj6iGG<JKik#x*#q^Jqtf|T5Jzyj0#I=dY+zyZXHi=HXxXm0wFV!T5`
zcyaKd@mix}I0D@JC(T~vz^50DEPcJdRvmf$#mHouUM4LkfH2FUr(u8nM_=|@cp`(V
zVJ6I~Gm5V_LPn>~aTWXopOn)hM5ssxPV%3e%v}oBpP20?>x#!c%=;4{qEraFaNA+(
zILCNUY!Mb!l(Ye>GP_yA1dU-Mm%npluAJM{eioP=wPcu~sTf8YG{Dgrp}zAT+@9-;
ziRis0rf4Jg$A<Khbwg4u$Y9aMsbb2vwh<IWyCB3ZG}$CL66O!cAN$1Q77FuX|8fyD
z%-734;n3-OUpY1Q^N03@tN!4{-&T%hoz;#?0`I2@sNzA62jeNzA2nAy&l#7(U9!{-
z29viwaG>sudWwJGfIR#$&5r0ZEX~SCy>!Dud@aI}G(eP)*X9*{Ov=CK65uxdS19Aq
zqR3BHdHdxfQSv&ylMO2{Ac85N{xgQeTW?n4!|D>$Ht4%ZIJCHb5?IMpgf^VJQmL1g
z<&z>zAhu0a7~};0Or$Wd<;E{16c&Yz1ak2QtBVHu-p3VbU=b!?8c6-%2tDt0gxqHz
zQt!i94i9cHsrv||&fAfk3n_1zMfQx7+-V|0`-S9Nar_*QQnkx7`Wefx3EfoSUfr6~
zjVh`~m(0DB+guY=iVl}X2Zuac>FHt&R4p9577IKZsceZo9;`vKZ?_z|xl?7J(veCT
zS~4ZmPBKUyI#8~S{p?Xm<R9u-^l5o3fAlNySm;!lE`}U+Oc8B#o{XQ43JRSTsjR9o
zrIw8LrRRYGdPGnS8jCuyW<B$63(af`NiU1p$9QW)p$c`Zo{B>i(7kGunhwuF<e_3z
zj7eVcb`kS#b2JCv$Lk^^{0!V!Lh48yltZ_7_nGZT1l078iL;IbcX=eRPohKqN}ycv
z^+%)txeBl>)tH-V<OL0c_=YsjDO1E=@@T<wgn$OkJ7HU})Ud%ScZN#$G1MWg8lsto
z)0Z;$aqNgvD!z%JK=~k|>hUX8Tv9TQm{nAiH|t&efgC<{E)R=rGL=ItOUAtF7}ILB
zQ8G5|g~`K4hA}-VZjl_VKz1$Ca0Q41G)eeUo>L&Z4r#cM<14vBQy_=~2g%5ClpzkU
zJ`p!y)C3qub`OtI#6BL^Dk0Hv?Ksfj1Yggvy~axFYiGvLC(vs~gkONEL4@q@n^=#j
zk70{%InPSuq9EjL7<}94iU8RNSQ}m!+e^gnooC?ngVO?qEATaVbDGD6?{9-`u|di_
zbBl8rLn;v+6Ga=n$j%z!V#(CB8U<2~-PS+HKn6-w0(#0yq-WHaHInn_Kjk1ka<uc5
zV%It1^W^)9WD7i{A`&=Ix0y-AMd^9$aAOX*F(QGV_p5wF{2t=&a_d=4b1=AT=?s*Y
z2)LQ~)U2p$qtGD{dA{Wgm$$p$I2b}dkC#JQSetjdJ!8Aaw7Jr;2YP-c6jOWw0{A(7
z9=N@6ej(_KO%8~)@elWtL>28d{z&m3Y(rueA<Jge^uv&q(2z22_3?`ZogRbOE7IJH
z{O_-9>)3D<m+Dc!NzXa@Jl1$Y>aoVe(~&3wQTy#vm68ly`KD=kOWrok*dOGL(e1t;
zH<Cs=j>cdYGetM3QJ6Y~P{GD?BOr-&VZ(t)n!vRR{c2e=DPPAl-s1s|**^^n_BO)%
zJR4H!6Hyb1bs9*HBJ05pM1epgz*KyxS?!!1_4$mb2R;;eXpkZnp0LeS;m)8h8R=t#
zN5mb&fOH&ga6HioYqlQ<y!;v147#ur>5fk~+b<l^kn~V)2pOXpAZdeY2a$9YkrRH1
z64zT!i#=cIAQC;}H0%uoU$M>vVe#FC|NYs}%7*dU(vs`hnO9`Ss0Y16D4%aK&7xaQ
zMpWxf+-MfbwXorZ<YX>AU&y!czC1kLb=8}-VM5Hs`CotBr9YT!CKx1U$v#7M@SFV*
zu$5q#-`UA2kur*slsyF)8&Mg*FE+FhTb1$Mw4HTl#WCdLx}1e*-{#i$*5SVefhV^1
z$a760xE_!We0;vs1B}>r`Hk7zhB73c)_}haEk_4Ze+yI%w=2y{XxF3@r>ttYd~^$`
z9sa6QOm6o(H19$%j(W;Qa!QLOp~A@!Zz_8{>)k6&#<2&WjVn!YQP3()GD7d6uhgc>
z-nxjk{!q(1weo8UG;C;c2b*Q$%ByVvwy|^N_ik+fjsQxP`^pkX(9dc%0#CjxZUCyd
z@~7b5CNu&6qn?CQXK=KesP^AjSe=1NuhC13`c0R)lThle^mK`+@@g7@=m{XHyRTK#
zQ0X>WCZII`Buqf7!yQvl>2)tR5g(|q|Js@YZ%@8XU(HFirx<Tt!9;9zlEfidR5voF
z%IcVyC~IJf+^DFImZ4UEHa9VvwnuTVtNT-<YHPE!w@?1r$sjOHL3a)j7_gF-Z|=?C
z;~eM(HF(K_zE%<Fp(<AceOiSW)jp!mbOE`l)Zd8#xv)h*ZwYcxL8yfqL^V{_Y@|7B
z)vdn*3$%8lYi}hfZ}p|G;RaEioD80;@&ndjVrNZrVze=(iCFZO6sThf(m|Id%$UPz
zqqZob@?2=64<X6&V0ANAI*!#=xfU;_R5ZEd5qfBvz?-Ni?n3lVvLH^H8WT+sa!{sh
z({rxb07$GR7%PG=Oc|*L1tOnWjKG}=+__5;I1qi-4X@tIxSf&zk^)e|FoEmG=$hUj
z|LcDrNjzIHM>egO-CHa#zuyKV=6$9{bNl{{>`+E`ML<JDHvlXg6<I83SD=5WK8MCZ
zel6j?BHgVY#9gNP<Mwcl;3f0VhZP`~jCZ`Vpzfu&?QR%pxpS8bh-U~BpZ#G1L_ITq
zd|zR3E6=ZvZn;5sw?TK&!Kxru>ln995!VkK<z-yAo8lUNvZt3IM(;-F1{V+XPk0!C
z7w+&AJUlYBcwtM0Q|_lD0Rb1PPn<Ay4qR`zuds=W1+{04s^+4qW{PG<aWcY8cwfar
zq`By)OpK~9(}A63^I~f2V(o&Y*rsHeD7B6S^^Rl>K-_2{YT+Dp8-XV7d$vH{S(h*#
zCe~qAhfu=YGoX(Qyvo%BE@u?U`;8#wEcxO~!1;?gINioBr{FEYofqFnW8SMzybp)?
z=dQK!9xL`8zG%N6pRpq<%;vK#4R=EsiTb(ok5&9N?;dGh_Vp=S7vA-=J(lyQ;%4YW
zK_6-|mT(CeXvr(gMjdHY0lw*6{tZslSRm-123L^VF~At|Oi<=!>IsGb-I40Vf*@Sm
z&&xPW@?}$V{Q~LCun3S;PWd+n4=lWuZIF~aRxZO+A*4$;C|Ief&!Y_^>|0T2vM@FV
zZ~XPnW*eA77IB0!0>R)uDQKs|Ysw!r<?BKC@Pu@RwIyMH6c4J3e#6Yf5WT)Ml%94b
z2^=g!^G0usEV7CxCUlo1l|i#XDmPPRGC_%ZYH1BcW(ESqc6}T>SSGHeHnUUEn!X{x
z1kX9sX$PV4@vG~yeY!%+wA>8!U@0^^(gMEZV<(g2;o>mG{l6Lw2M$Wj-L0}l3j&Mg
ziQd)w?vzW|=|CURT4YIEQ|)Yc!7yw)$B2>CWqIW7{Ld<i$!L9t*qWb>{AY-01u(VU
z*}4VdBc+<Ck;$y2$pJ?|${rnqkYpw0_l_aR(vgbC$D62;%GQ-i|5<gSMnYsk&Djq;
zd=~W<oAdpc6Hs!F^BstFo{hAOH=&(R-6V-7^&H&Py9{jgV@z=~B&H|NhbJ=YNf=5K
z<%QqAmu)vy@B3mm5u6Pxb`H=$OdBfRrjRn}EqtUy-Q$JJR4rT(1*xx|H)zX-h+MW>
zaAj;qW-(5cnkul70#)Jo7?Ux>knwIOX0?#y38QHVdh8rrf~VYLDN7~fH{zFHf+Hng
z%0CAk@Z`yO#c$m|!JHgxz^&Uijx-h_y{c8IR8Oa?UgV>AaZmctv}m(Y&w&y+CNJyU
zWX2{;!XX|*D8wTCzs*EjAr9dr;{O_=@{<4W`|pJaN4arC#cKdWE?!}{IBDHjNAR%q
z2E?r`-kMc&MQZ5cX@Q1%1>-6ltdx5ZGR<<t*d80($Pt+o#kOIhYlxK0hWfIyv`hzR
zJ}SZ-Se=)q_iAICyp&H6tvs6Hy6k0&_u~z3U8KS@L_Ye7n;I0|@iUM;4-}gSL;T0Z
zyzpS_?2@obgdc!L5xv(tDUwVGBLK$y?qR^GPYLTk;hTb@%ugW<9=A4q%x-cP(*mq-
z?y1bd%`!6+Z+Jyu-iht@hCjes=+=r}e%fJUr%$_67d(kbLCubf+_u^`xH>l*^<m!b
zPl!-RIQ?}p?$Zp=egjT{7MfWlBOZ4LCST3$8FW}p_;iuH4&0*nZ{#lulNk3tj{Kdn
zY-(>yV;4Pi^c;fxoOuB0l#B9t+_9&8<FkAc{rG-a!i^tR`8vYm?ltTzHc_hdHNIUt
zO<<e#3}=>Cwsj@2&Q*2iqR1~#0!!xqa5wo&bPEfRNq>U&qZxdr#dbsWkkd;*rTC{h
z$sz%>sz#O+x=EMLo;-KJzTO780#?PJ(ehADHHgP|e?poOX1P~J{nzGr?OaId-gjD$
zWZD+4rF7480(RrOrKS&%bHEV-8O!&82eON<`@91ieQ)UvK=L+{AdApkbaWXa+5X<d
zFWrl+c{TVSj*8Xi@C7oNM<aryTeB|ZTc`Llh9GeYzLTYN-fwo1J(pJ8VOsIZWJj3W
z?%t@A{avC^DG3o9^%j&KgKczEvf$P5EaW5l?0Ezpg6@sq$#92={tLa+IuT|BFMCL*
zw?z2fU(Eh>rncqW>`idAT$Zz#Sjy$V^X_?Ra7o{d{>K2U)nVht;B286$+`%&mS#hx
zm5+RSJ^YynGZNBFm49z3d-5E11Rc9yj7*jmzi(63UdqaiiN-%Rm0!dRg;ZXKjg7@O
zuFB1S##;lq*b!2JSnAY3T{s<qg$gb8y~~O#9OuTLC(D~3--JW<F^m!8nVz-}@v&5N
zhCFOgSz{ujxVm#;>qNnmd!lE4@&;5mb<%G$K2I2Vd@xD&nLC32B;V5t<itiAgcZfy
zK-dYX!Gn2%o7^1*Wz{Ug<ss$iY(Va@_y{-?6B&abi|y?4kJ<dP=QI*ggQL?JSs#nn
z?Wznb0Cub~a#!<MEKj4%5agfB2HaO~m$!=>o>UJe&oaLP?A@_?T-qToifrT%FI&l=
zd(4@W-Dv-)Czp#|zY9;a8tElKXb)MbK_{#fb-0QgLyqKI#av{lGUfz{VUN+HI*8cy
z#)^JIRNb}RA<hj`qB!SR8_noG(nxU+@TvB>%TwzIjz0<zf^OuLOYW1}Bh1{bpyT?C
zj20vfum<RhHB*FiKnzI`MQkXLx1w^;dU6QL9D1Cv`CM84?;Ug_Xg*&}Y?L8rw6Dc;
zB`(C}9mo)dq!FZ!j$t)Sd1!ANcdtQT)%3%};^xH0J#tBew3L|gB+mt}g<<ytq*7*J
zuY^3@s*Fs-_0qP<%ud?v3X9GVLk_kyUd%*n;yjo5q+1-3CqCi2i2KV^svV%wYc)fT
zUn?~u#xaAMsOuoKgl1?4hmm^9oDRGZB=x4EK+x1MR1*3#U}?*V2Y3=My$mw+P*aqv
zAVr1-6_-~SB4Ud$4e?pzG4&a^n_$6#?ou@2ZAbLC{v2e4%)}o5vK=1HjSwgjEkoLh
z#0mT(8SFusM&+`mhB5L_`)o|uV=h4VcyFEZ#sT;a!qlmZR+&VJDPEEHt~d{=r<QA=
zM15>nr*KLK%~f3QHVito-$~z*6Ud+UI^ePsj~>~ozlNfX6T6|#n1K!uPpQig-8d(k
zbzFhICFzO?Gc@}?aI@@Xi^i!xiUTG^6bRWjk(iD%2NXnfOUMZfC@hGz!JsSB#2W6d
z!<*7k_|IIV%6$JOuoDt#P6W&N@B01Z{eT9G^St%_VCRyMm>&4V6-!kVe8NT;K~zSm
zXhHqfPd#jZu#vdpfB%c`6?-NTkE8_}au<tk|0Y8aOK`P%HUEi$o{!2O74nsEX5}RH
zLoC`G(5tPhdl_eXec9wA`04wM6M6^ta0<>8qxjaPM6C41$jj-^b3zauz6z7{m;Rs~
zS`MBL<kX_$%eLWZRt3yU1>r^gqB^2Co)tXMf&doKWxBCD3O}KMI#e^C;syvogTY;=
zDPo0Xj~HZ-MKXBM#K<fNk$EE@ir|8IuxcVJYL78G>G~m(9ZP_ywkqXij|GMzQLtNJ
z999rdj1N8{FD7J(q<h|&NyglFoHUXiVxgVNRKPMxjJ155!Z#QqK+H9@e`nbTzkYcR
z_Jwtnbn4s_b{l?oJFHVE>{v?F52{mezB>nnMH`5P9OCZr2Dp@s^TR@_eY!)YMl*|`
z`!j`p_LMAK6he%ee5lW7lNfi=Cz^a0vh>9XMf%~t|MQINYX{O+mO;VXnb8Y&Y%)&e
zhpSt55JK9AgMOMO5q2@T+G@HPXDOf-QD0&2U{(B05v6$85|!kqJawT!DH1OEeW#q{
z7oNyU{@iALFO8Nz)$I0sEyzulq_;yY0ZZDKOWf1tNcmeeYc3q$``25>TPgTxF(R^v
zavi*bL0H<!2bd%4ByKKbl*m1^4@8JG3bLx2Ktp;%B0&b7n4JPGR)Ka77kO2ez)O0i
zl0~+y?3pESpe~gN{ci;w((1FwV8+ei-@zU?+rh5xXh_12y!NfA&o6IYd2t}CDqh9$
zegDj%#Mipl6+y>P(*guq<=<??T!{$TQ_qR!Oz^60u)}6*T&MMXd6zDXi48LKh)2-h
zbQ@|Z(MkckVB<f|i=cAYMt^e`bplFy@F*v7p&3A%rn!Eg`w}6=W#lK-O-mm*qFcHy
z{_@WAG5N|hZ)M<FHX*pE#obH(k{mcMS$6kb`4-fC<P|TWQ&pZmhpZaU$On)fV#41~
zW&tJsmw>Gwl@$~Hr`DMR2rMEGN$^?kT%~GvrG}6Mu+G8dBH?0<toSa}9A%kX_P0(=
zUSynIxF$rcx702yDf})GrY^xkfa<GAnv>C>K)Y04m+5_$lr{w#3OeM{28%i2ugKvn
z4>EHXdi=VI66<cyn$lmjKn19*!IK)JA+&^6*Okk&Aj=qoPPaX*Cd`JV)u7pM5(?@H
zsyf*$fPFYH`h!lUISQhcq_f5N`rY`ZQjYk`UV(|3fW#3qlny96Xz#j3OghV~7-23V
z!g1JU2@b;%(aqbV8HkKGIxJ}G=#KrBW+qkiBqT$*NM{z9Se0Vg-9Sc8s-mJv_HG7Z
zMO4;!7Lti}ei_iB?NAa7ZCozJoPR8sYfg>i=aae3R9=f5kJ8rSdsw_+*P#<)T+WhR
z)_RkA4WFNvQXL$TFPF&8bUOSOrhk!@VuPe(?TkbEP4oW3aqK2o0i}F-u9n#^4c7?Q
z*e&9qUTdJ(XeMY#%2O>lrq`n6<Q9I#GU`$urre5Q)+OIb&c`t7l4>fAR;^&vJ;MHe
zMq<<i_bYl=sjN(4N2xW`Cf!S-f19WFQEH!+(JIUL3CGpy%X}-%rp6U3$Hr6R8B0p5
z)yis(N91zq7qc;A!e&>0w~g49O+YSH+t`Dh_uwmar+Y~JFPd0yRJPM~Q3JInX*Ijz
zD;kTA%)bDl|8`#MPsRU;HIPz&E&Qc6j@}6}&C+=%`6*BEgAM=eurRbvn5Jy_im-Of
z^r7==L%^JX{iwVS*QFqtg$FE2OvBOfBzu!h@a0N=wROz%VLr#l>3e-3{Di(>D9xK^
zT~d3;DP4lbNSc5}z|bVZ1opwf5!O>%j2+rWHb{#I@Fqk5^6|MsNe9Ve&qzd;A=Tq9
zsX#wn?hb$>QeIeQ%RAf;8U8{x00VooOpa#c8GlkI%CcENC!mx%(z4!gO6ae(PS~Gg
z&3H<tWqf#V0p<*5Ft8v~HA}RH6W)7kRI6G2qfSj+S`3p?A(~fO(AWYfWMbtYR3gt=
zYgZ7@(gY?{QcZ1At{f_9Qtqw&JGK%!DY<#(=sJ0sZna6-v|`2hi@D62n(MgoGTH7l
zsXtfd_N8B_LBws~&lcqtmwwswj6%0oUVV<^q(F=)%8CJ5-9GSrL`rx%!^H;Go+Ng5
znVorbW~D_Pj9?Ksr$~;7w9SS%r{+Jo=Ja(4wHeFN6D><^>9RUlY+ga3Esk-JYnM{U
zCcHV*cdA@J!|?puq_vFn-sA{Hkta$iEXCC3atRX&tq9T>Jb;uLb0FRpxFD<>QH>Q=
zOBE}-{>oL|?Mkxb<9}64ji#&mDoHLS)s~Z$rPY>kRw`C?o0X~>cAB$|skm-3Q<|-w
zGN#YjG*-AK8d^mrGkw7fdanb2wAMMf^bMwd!?McD3!$~o2$_kzL8y2Ws5%-(VCgn&
z(rRiz?Aj^<>7&&j4T?=|-qZPJvFa>haF{eLvvw8VxGW?~nXx5h?SjtAhB@rG8q(01
z^G`EXzNp^`IRNWfRo1v=wH&yx?hjnk*bXF5M!l%I{?FNgUuS9DCj-l9+~cf%$HxQJ
z3gc+aW~XEeOF8JYddSSYWKX(l8Bc2_vtQu$mZYP*th+9*{jdJ8iQS?31h#gawE}0x
z&ho?co}%L;IISQgg{6XW@4EW;Bz0ZXJDGXa3jG%9MS^FA9MkG7imFjV>MU1Kyl8(m
zQW$J+@-8WxQkj%`J_=AXtsG`mC`)pfB>c1OCtA_jCL&Gt|5sJ`pO*=Vzg{X%68$!D
zRtf)VH;G6WX;YinOv2Qcc9Uy#lk9lNy_DoOvQ$m%Ja1&JANJ9=axOnfA$oA>xsFdL
zb}QuOFHu6HXDIR)bi&Uv0}O7MR@f{w4t&J26pZyJQxwwBDYTO7;~Pb4HqcxQK1#jB
zSl=fv<zr0sFtY~nO{_fyM@x6XqGftUVq^q6%6d~N|H~I-zxiUlI9g_M{jvRbyfQ`x
zRCCOcwd_*dYBT#cUo_U88aw@?&RVLpmQ8c=GtFw{dYR+z?+r4zY}}~m12!$&#u>?a
zg3QYKgjg~Uw}btAga>6C1F*r1rIa*neDAOS%6k3*N9-0{I(mdxyygj3>Ha_vbdxKy
zS&p<5mZfG~iiE0^N@Y@kgr@jkH_4}zTIp;xsn~)grQ!#iTKRpDN>xy<tS6H4yYZw_
zem7pl{|r5~f5%r+D-EBFIE++W>sew{HvX}2tUEEP!X`IZK8;r1*bp?Ev42B&by?SA
zUHT7D{Z4qO4<1+*A^<ih&IY2E-a1W+<#mF!l5t(3eN!q%`JzcmiljzGa7glh-Thp0
z3e`?#qhigdB+I&gie-I!iX;X8ikh6sO!a^y>BX<j{|xcgBw5spQY1@bXv``nW7|tB
zsD9TSwwG*arK!+HrK(9)CsE|upRCeF{R8Xkj*Zg$Bow;^a_ekPH*$J|`{ZE>AJ=U!
z^5|5-qg`#_R?fg5LP3<d90GhVkclU2Rp%~(sAtObPb^xMX0rs1$R2rC3X`B;UjKE!
zyjaVBd4aWHVWS{2ui6G%Ml#l^Gz&(M7QDZgHRrIb7Zm$Y3MDfNQwl8~Vih)KIeADW
zE03wqekWs_%K$6a`s#o^FH6g}IfZR+-RB7xOl0IIgIcPfmD|DM1G^2O*OSl`EW<PG
z7r+kx2s;zz#?ewi*4gJ-hfqoeQ|`47t&*~G=ZEwokRqsN!4f2Eiyuef*FM3L4#ngT
zcFst=PGTgr>Mb_{hvb8@&L~hPQvzZbrD1v{QnZ3H)3CvmOmm*0GLBvc?Dq1|u;7XW
z#k8i6$C6OAm=-B|`=1H6bk&Mt8&Xf0kysw&Fk~z>MpwMzY?y;MW1g&{83<DSxNB^Q
zvG>mx%Coj7F0Vkl;$ag^zME;(rhxV2gXOS~;T=Ia-{SyKTH(Gsy@Sj!Z2(<yuytlm
zIyL&zFr}T%N(`>Z=Tv2vcY~I2P|s*s%wjKPSJ?+tAJ7;8K~EYVcQ)xqH(YDga;{bA
zCi(G@k7%exK2)NdI;~;KSTp5Qj(zQ{WIpMvWj>V^vV?`3q<KNQ{H0aMkf8c8Zw^s&
zGm*S1owRl&ieE9bs&YOq*DIl}lTce-tD`>Eurkr%aHF}~WGOM$V5(Y6G2x-q(Kw%!
zRP)u=(a>wCrAZr3RZ4C;tgfIit6DSGos&?or4;cniDZ0~?zPEZ{D7mLtkF?R){+xd
zI0-j_I(?>?Oyjo1|L?Iuc0XiAPB{S<65ls3U%PL^H-)o{%%!!(*M)TsfV!%wV<>2?
zmU4VDQ=^BI`a+_jNis*}-{oOtQ;kYhlcI+OhYKs$Z00}f--Lhil)b#ss%WO>`g5K2
zTW!DY>Z+b(bJIz-<x7=G<Buvsq1h%HA>-jC_xt0RMP<mBbjA9V6x&uTr)$x1&{*^_
zVUWBO<*-AaB%yAS;I?j`VD@QI3hKc&=CIWoO33ei(j`oNDn>CZL7)zKbwE9Mjzl#q
zSZ~SxlZ|UAqr?8Yo%TFsJMG2J2dTR(_lGuK`e_?lF0dTT)>sZ^l@`MNo*TkMQJS|(
zG0mKHQQ9F`)8(1Ik!ern1aODYS`%ykO3jftkxYSl(s4iXk8r(C@p`!XT>Zb#9aG`}
z+XWuOn?BHyxYmT66n?xpK%zeajxPh3@Nf&agd6sST=NhT3DKQ7R3E`8wx!m{n*i_%
zv!~X5l54t2wL2PpwK=ErDK1yr=c86@$&LTTv-TU0vrUN=wa$lw%hhb8%ave&Ek_O)
z*K#JO+b`1Zr)=lz+QkmFQm3p?rwQlbot3t(u39^{yvW`!IPhY>BVcO<@e7-U_9i{N
zJ&ajk&UN@P=~k@E<FDTml!Y5Uz1ux_Cq0t2N}a#+V8<QX1vwOt!H-sO0FGk*NdTdX
z4Trudu{~tCU0uGoTyrVZ7wa9!F~1Y8Gxa;+v9uQw=j)PVs+`Y<|JHX<FV;x~w;eTI
zfAeU|rS(%L&LxM%22Y7eo#GT6j9vFqMUQ7!t;tJnaq5giRr94F?FVL9j1vF_t(L_G
z_FALY#aiQoc1L4s4%dSFRpxz5b;gR-Mq_SrYE83si3wkA>W)@fY7Y8A>QZA<P)&u&
z?_xgEpOcunrl$2$(R`kZWgw1<pd}-^uC3hJb5ZH~QC7afXd2h|oM}DVaPX}63;6wG
zDH9^U?MJK>tNg9K{jAtH>+b%8QsC)^i{k$F@8U-4CL?X{^Ce}UqobxC=x7T4jrIG#
z#f?OBAwfAH38^Z1dq_3#g-Sgja<JlvW$#+d!t(bw*2@bHi+<n|z&crAGNmj8*mSbz
z4INnb`U|Yvzvt%tgr**>l{E|gQch7m5Nug<DgRF$R~nTB7KK$(R6@xu!6o+@%0b*R
zl`JL81Y5LF)KJ3((y1&nmzfeZ8bU243(F<3G|gSHXmdr)1<}MNolKKsWR?=-l9)r&
zkC`)b=Dr{Id*|JA@6UVBJNNs9C#?pMd0T@FI_;;$Im?s{eYtvui}xBQ9LcR|pQBq7
z3-NdmufXYXyw9@#NZ$-Q6u;jagbS=4O5NlSGOi2;U84u|l3QP9j|`{Ehedghy{+tI
z;0-3^!em>d8S-xmDrAD>;##@Btd7fhwU6B1zx!!td_}v?qizLmHb9@VA@#nyJtF=~
zz1_QwqWxv0HNe)w5}aWTm}s&rAVx-29uhtXxnowd*VF2kbFW<LQy4g0j^r(*hT!LR
zt*If&5kHzc#K<kIlnT29jE0-1$(|h6JUgG4Z*a!vj<bI=!YQa>)UYCfPU@#uJh5Ay
zM}V8IZuV~}xo3`Be`okyp5_ltny18`4@rGv2wVJ*C})od86t7l8Uzb(UWr_oG1xI5
z93`7E@|w13cAh+6d}3ZI(ADiO>jc1#N;4_Px1(I1WCi4jp;!I*ZA+?cMziPTJ+N!x
zSBSKFkucZ{S&`h-p3*gIRPkhbDO2dFL1TMNbuaT{Qo)<dMXJfOj)fj`CWy3!i6x4y
zBGtw1>-0M6V*j&Q0UO|#601&)vODE_2HM$Lj=2cY$h|a~7-%-j|5;(Xk`CGZtn~HT
z=QVE^nsiLtOs}mX?D)gl0*>n<TVV!9iB#O|GjumnMGqQqNa@I+mdMQ79f;ZH9ov=S
z$-fvnx6eTmrkXO9GfA6+@)dP;Xzj7;m<%R%e^BJXyGV>lT%meb{?m`?vhzoqy;CfO
zNoSiVyzxSA?O>=z?X7eL)zXhGsFaTT33leI>FX}s(F|ffAiAXjO^lPKvIe0@I*?U*
zE2KS>KJCT@SvRK54MOYEZrw+a;QTKynZNJm8}O?P9W1?UzwHyo;R1tpPN<O)zha9H
ztYFqHX}h`icbNAxwR{<1v{!P5hc`FwGt$A<Ql*K6+F1_rD3@IE-C&A-Q>5?;RKBKi
z87z_S)-!sMVXLJeSe)e$dPmsOUgV9U>Zcea%#^Z(b6OflLmzY3xoW6E22N?H+Z(Y$
zV?<v^ww|CE#QxUu3x$o>=V>tlf1+v*_7wDY-4&obP6`_@zY*tr(Ep<?^7DyT%N-uo
z_QkSnP3UN7{CYdAs4EuG5#bhNR8j<2eBI_cqyYzLOZTQq%frT%Dj>^mdK^Nv!hNnd
z0;@6$@Qo@ytilOQ>3e@=oA^df(FJ4+?&c`*XuaanP(MJXb~~)cG|ODiK+6*BzoRbe
z%fVfoMU~oH!@ZHRoD{O?VUcA`yE1yybPI(M0gElpsM>sZvvK`w3(G<kuF$}<%|hAS
zp8Ztx$sQ>PkAnnO!;iV4KKw{~c@iY#E2*Io9#nL<p7loKdm|2cSV`t~BlFkx+7{xB
zm8m*#P`IkeLV~Lf<*K-TE!s3<e<@YdcT_C~_abWUI7_>`*&t-DIC)I{cySsbYQa^O
zNT=yTS63@;XqX6W!bgCK;Nk^BC41ws_iVQGHtUDs9!#USCorMjyl&(OdaSx6;yUTY
z8TO0~9M0UvsU=SP;FGaoCBi>klh0<0^C7DmcMpGjqFTI@8PTytV&&)@P!-OVcoB7z
zv@FzvD`*GOdh-H$`bwg2(4Nj>r5B>wc%?3W%t08vO6lGshvjzr243x4VgXmhc!ZE7
z%2wFTlfb5&61MyH2b0vF=`}^e*b_F)&NrfvcMgG=eI;z8=a6wKo(TK!fk~ZbWy79}
zV!9mCIl<A`l1K74tKM?k%<*_EdWl2KBunoTVQmQl*mHe(P{-E}m$xCrNt#ZQXY>kT
zrVlN=^m`V0*riMPd4SANUf@{4R4Uo}TvkmSjLj40j74mU{R@DSjlYA8?#tUU1K%d>
z?J3`rzq{)6W8tI8@4#YyWkcD)IYXP%TnWwMtJcNzjF<t<ar=v(l<7OIK1!|BE(wC*
z43a2!fcenueS~z@kEN$+rOOmpU*F~SHqCmG0B}bEfgRk_XFv?;U~BZ^3=)0w333=r
z7L`q0TaQJJ)z~!<4hJ70KX87RH*|EM0N9Y&!YXS1@=34;Jb+PD(gFOxnvR^x`Vadb
lZJmE7`8OH%?+jGAP|ts;u?H~9D&Ins<R@M3v3tJV{sf=8d9VNg

literal 0
HcmV?d00001

diff --git a/Solutions/Claroty/Package/createUiDefinition.json b/Solutions/Claroty/Package/createUiDefinition.json
index 8190a7ec3e0..30a4e098be1 100644
--- a/Solutions/Claroty/Package/createUiDefinition.json
+++ b/Solutions/Claroty/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Claroty/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of  [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\r\n  \r\n  **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n  a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of  [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\n\r\n1. **Claroty via AMA** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Claroty via Legacy Agent** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Claroty via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,14 +60,14 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This solution installs the data connector for ingesting Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for Claroty. You can get Claroty CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
             "name": "dataconnectors-parser-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the ClarotyEvent Kusto Function alias."
+              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
             }
           },
           {
@@ -79,6 +79,13 @@
                 "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
               }
             }
+          },
+          {
+            "name": "dataconnectors2-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for Claroty. You can get Claroty CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
           }
         ]
       },
@@ -95,7 +102,7 @@
             "name": "workbooks-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The workbook installed with the Claroty help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+              "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
             }
           },
           {
@@ -301,7 +308,7 @@
             "name": "huntingqueries-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view."
+              "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
             }
           },
           {
@@ -323,7 +330,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for baseline deviation events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+                  "text": "Query searches for baseline deviation events. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -337,7 +344,7 @@
                 "name": "huntingquery2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for conflicting assets. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+                  "text": "Query searches for conflicting assets. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -351,7 +358,7 @@
                 "name": "huntingquery3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for critical severity events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+                  "text": "Query searches for critical severity events. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -365,7 +372,7 @@
                 "name": "huntingquery4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for PLC login security alerts. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+                  "text": "Query searches for PLC login security alerts. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -379,7 +386,7 @@
                 "name": "huntingquery5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for login failure events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+                  "text": "Query searches for login failure events. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -393,7 +400,7 @@
                 "name": "huntingquery6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for sources of network scans. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+                  "text": "Query searches for sources of network scans. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -407,7 +414,7 @@
                 "name": "huntingquery7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for targets of network scans. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+                  "text": "Query searches for targets of network scans. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -421,7 +428,7 @@
                 "name": "huntingquery8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for unapproved access events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+                  "text": "Query searches for unapproved access events. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -435,7 +442,7 @@
                 "name": "huntingquery9-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for alerts with unresolved status. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+                  "text": "Query searches for alerts with unresolved status. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -449,7 +456,7 @@
                 "name": "huntingquery10-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for operations with Write and Execute accesses. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+                  "text": "Query searches for operations with Write and Execute accesses. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
                 }
               }
             ]
diff --git a/Solutions/Claroty/Package/mainTemplate.json b/Solutions/Claroty/Package/mainTemplate.json
index 01ce919134f..1f0d1d69e0c 100644
--- a/Solutions/Claroty/Package/mainTemplate.json
+++ b/Solutions/Claroty/Package/mainTemplate.json
@@ -38,203 +38,321 @@
     }
   },
   "variables": {
+    "solutionId": "azuresentinel.azure-sentinel-solution-claroty",
+    "_solutionId": "[variables('solutionId')]",
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Claroty",
-    "_solutionVersion": "3.0.0",
-    "solutionId": "azuresentinel.azure-sentinel-solution-claroty",
-    "_solutionId": "[variables('solutionId')]",
-    "workbookVersion1": "1.0.0",
-    "workbookContentId1": "ClarotyWorkbook",
-    "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
-    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))),variables('workbookVersion1')))]",
-    "_workbookContentId1": "[variables('workbookContentId1')]",
-    "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
-    "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+    "_solutionVersion": "3.0.1",
+    "uiConfigId1": "Claroty",
+    "_uiConfigId1": "[variables('uiConfigId1')]",
+    "dataConnectorContentId1": "Claroty",
+    "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+    "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+    "_dataConnectorId1": "[variables('dataConnectorId1')]",
+    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+    "dataConnectorVersion1": "1.0.0",
+    "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+    "uiConfigId2": "ClarotyAma",
+    "_uiConfigId2": "[variables('uiConfigId2')]",
+    "dataConnectorContentId2": "ClarotyAma",
+    "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
+    "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+    "_dataConnectorId2": "[variables('dataConnectorId2')]",
+    "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
+    "dataConnectorVersion2": "1.0.0",
+    "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
     "parserName1": "Claroty Data Parser",
     "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
     "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
     "_parserId1": "[variables('parserId1')]",
-    "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))),variables('parserVersion1')))]",
+    "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
     "parserVersion1": "1.0.0",
     "parserContentId1": "ClarotyEvent-Parser",
     "_parserContentId1": "[variables('parserContentId1')]",
     "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+    "workbookVersion1": "1.0.0",
+    "workbookContentId1": "ClarotyWorkbook",
+    "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+    "_workbookContentId1": "[variables('workbookContentId1')]",
+    "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+    "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+    "analyticRuleVersion1": "1.0.1",
+    "analyticRulecontentId1": "fd6e3416-0421-4166-adb9-186e555a7008",
+    "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
+    "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
+    "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
+    "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
+    "analyticRuleVersion2": "1.0.1",
+    "analyticRulecontentId2": "9a8b4321-e2be-449b-8227-a78227441b2a",
+    "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
+    "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
+    "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
+    "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
+    "analyticRuleVersion3": "1.0.1",
+    "analyticRulecontentId3": "e7dbcbc3-b18f-4635-b27c-718195c369f1",
+    "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
+    "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
+    "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
+    "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
+    "analyticRuleVersion4": "1.0.1",
+    "analyticRulecontentId4": "4b5bb3fc-c690-4f54-9a74-016213d699b4",
+    "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
+    "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
+    "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
+    "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
+    "analyticRuleVersion5": "1.0.1",
+    "analyticRulecontentId5": "1c2310ef-19bf-4caf-b2b0-a4c983932fa5",
+    "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
+    "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
+    "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
+    "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
+    "analyticRuleVersion6": "1.0.1",
+    "analyticRulecontentId6": "6c29b611-ce69-4016-bf99-eca639fee1f5",
+    "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
+    "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
+    "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
+    "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
+    "analyticRuleVersion7": "1.0.1",
+    "analyticRulecontentId7": "3b22ac47-e02c-4599-a37a-57f965de17be",
+    "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
+    "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
+    "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
+    "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
+    "analyticRuleVersion8": "1.0.1",
+    "analyticRulecontentId8": "99ad9f3c-304c-44c5-a61f-3a17f8b58218",
+    "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
+    "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
+    "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
+    "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
+    "analyticRuleVersion9": "1.0.1",
+    "analyticRulecontentId9": "5cf35bad-677f-4c23-8927-1611e7ff6f28",
+    "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
+    "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
+    "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
+    "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
+    "analyticRuleVersion10": "1.0.1",
+    "analyticRulecontentId10": "731e5ac4-7fe1-4b06-9941-532f2e008bb3",
+    "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
+    "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
+    "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]",
+    "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
     "huntingQueryVersion1": "1.0.0",
     "huntingQuerycontentId1": "6b24f3aa-01db-4d26-9d60-538dd9a56391",
     "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
     "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
-    "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))),variables('huntingQueryVersion1')))]",
+    "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
     "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
     "huntingQueryVersion2": "1.0.0",
     "huntingQuerycontentId2": "8038c683-f4dc-481e-94c6-f906d880b0ec",
     "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
     "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
-    "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))),variables('huntingQueryVersion2')))]",
+    "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]",
     "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]",
     "huntingQueryVersion3": "1.0.0",
     "huntingQuerycontentId3": "a81f3a44-049c-409d-8b98-b78aa256dacf",
     "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
     "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
-    "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))),variables('huntingQueryVersion3')))]",
+    "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]",
     "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]",
     "huntingQueryVersion4": "1.0.0",
     "huntingQuerycontentId4": "15569b45-4c34-4693-bf99-841e76b5da65",
     "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
     "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
-    "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))),variables('huntingQueryVersion4')))]",
+    "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]",
     "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]",
     "huntingQueryVersion5": "1.0.0",
     "huntingQuerycontentId5": "917364b7-2925-4c5d-a27c-64137a3b75b5",
     "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]",
     "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]",
-    "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))),variables('huntingQueryVersion5')))]",
+    "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]",
     "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]",
     "huntingQueryVersion6": "1.0.0",
     "huntingQuerycontentId6": "6c43a50e-2e59-48d9-848b-825f50927bbf",
     "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]",
     "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]",
-    "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))),variables('huntingQueryVersion6')))]",
+    "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]",
     "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]",
     "huntingQueryVersion7": "1.0.0",
     "huntingQuerycontentId7": "8e70ddf9-32c3-4acd-9cb9-59570344335e",
     "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]",
     "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]",
-    "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))),variables('huntingQueryVersion7')))]",
+    "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]",
     "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]",
     "huntingQueryVersion8": "1.0.0",
     "huntingQuerycontentId8": "de0fca32-85f3-45df-872e-41e980e5d8d3",
     "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]",
     "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]",
-    "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))),variables('huntingQueryVersion8')))]",
+    "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]",
     "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]",
     "huntingQueryVersion9": "1.0.0",
     "huntingQuerycontentId9": "fad6cb81-9a05-4acb-9c5b-a7c62af28034",
     "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]",
     "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]",
-    "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))),variables('huntingQueryVersion9')))]",
+    "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]",
     "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]",
     "huntingQueryVersion10": "1.0.0",
     "huntingQuerycontentId10": "3882ffbf-6228-4e1f-ab8f-8d79a26da0fb",
     "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]",
     "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]",
-    "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))),variables('huntingQueryVersion10')))]",
+    "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]",
     "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]",
-    "uiConfigId1": "Claroty",
-    "_uiConfigId1": "[variables('uiConfigId1')]",
-    "dataConnectorContentId1": "Claroty",
-    "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
-    "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-    "_dataConnectorId1": "[variables('dataConnectorId1')]",
-    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))),variables('dataConnectorVersion1')))]",
-    "dataConnectorVersion1": "1.0.0",
-    "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
-    "analyticRuleVersion1": "1.0.0",
-    "analyticRulecontentId1": "fd6e3416-0421-4166-adb9-186e555a7008",
-    "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
-    "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
-    "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))),variables('analyticRuleVersion1')))]",
-    "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
-    "analyticRuleVersion2": "1.0.0",
-    "analyticRulecontentId2": "9a8b4321-e2be-449b-8227-a78227441b2a",
-    "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
-    "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
-    "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))),variables('analyticRuleVersion2')))]",
-    "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
-    "analyticRuleVersion3": "1.0.0",
-    "analyticRulecontentId3": "e7dbcbc3-b18f-4635-b27c-718195c369f1",
-    "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
-    "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
-    "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))),variables('analyticRuleVersion3')))]",
-    "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
-    "analyticRuleVersion4": "1.0.0",
-    "analyticRulecontentId4": "4b5bb3fc-c690-4f54-9a74-016213d699b4",
-    "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
-    "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
-    "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))),variables('analyticRuleVersion4')))]",
-    "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
-    "analyticRuleVersion5": "1.0.0",
-    "analyticRulecontentId5": "1c2310ef-19bf-4caf-b2b0-a4c983932fa5",
-    "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
-    "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
-    "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))),variables('analyticRuleVersion5')))]",
-    "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
-    "analyticRuleVersion6": "1.0.0",
-    "analyticRulecontentId6": "6c29b611-ce69-4016-bf99-eca639fee1f5",
-    "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
-    "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
-    "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))),variables('analyticRuleVersion6')))]",
-    "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
-    "analyticRuleVersion7": "1.0.0",
-    "analyticRulecontentId7": "3b22ac47-e02c-4599-a37a-57f965de17be",
-    "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
-    "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
-    "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))),variables('analyticRuleVersion7')))]",
-    "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
-    "analyticRuleVersion8": "1.0.0",
-    "analyticRulecontentId8": "99ad9f3c-304c-44c5-a61f-3a17f8b58218",
-    "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
-    "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
-    "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))),variables('analyticRuleVersion8')))]",
-    "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
-    "analyticRuleVersion9": "1.0.0",
-    "analyticRulecontentId9": "5cf35bad-677f-4c23-8927-1611e7ff6f28",
-    "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
-    "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
-    "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))),variables('analyticRuleVersion9')))]",
-    "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
-    "analyticRuleVersion10": "1.0.0",
-    "analyticRulecontentId10": "731e5ac4-7fe1-4b06-9941-532f2e008bb3",
-    "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
-    "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
-    "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))),variables('analyticRuleVersion10')))]",
-    "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
     "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
   "resources": [
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('workbookTemplateSpecName1')]",
+      "name": "[variables('dataConnectorTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyOverviewWorkbook Workbook with template version 3.0.0",
+        "description": "Claroty data connector with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('workbookVersion1')]",
+          "contentVersion": "[variables('dataConnectorVersion1')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.Insights/workbooks",
-              "name": "[variables('workbookContentId1')]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
               "location": "[parameters('workspace-location')]",
-              "kind": "shared",
-              "apiVersion": "2021-08-01",
-              "metadata": {
-                "description": "Sets the time name for analysis"
-              },
+              "kind": "GenericUI",
               "properties": {
-                "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **ClarotyEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-claroty-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"green\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(EventType)\\r\\n| summarize count() by EventType\\r\\n| join kind = inner (ClarotyEvent\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType)\\r\\n on EventType\\r\\n| project-away EventType1, TimeGenerated\",\"size\":3,\"title\":\"Event types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"30\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(DstIpAddr)\\r\\n| summarize dcount(DstIpAddr)\",\"size\":3,\"title\":\"Total Devices\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| summarize dcount(AlertUrl)\",\"size\":3,\"title\":\"Total Alerts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| where ResolvedAs =~ 'Unresolved'\\r\\n| project-rename AlertTime=EventEndTime\\r\\n| join (ClarotyEvent\\r\\n    | where EventOriginalType =~ 'Alert'\\r\\n    | where ResolvedAs =~ 'Resolved'\\r\\n    | project-rename ResolvedTime=EventEndTime) on AlertUrl\\r\\n| where datetime_diff('day',ResolvedTime,AlertTime) > 0 or datetime_diff('hour',ResolvedTime,AlertTime) > 0 or datetime_diff('minute',ResolvedTime,AlertTime) > 0 or datetime_diff('second',ResolvedTime,AlertTime) > 0\\r\\n| summarize dcount(AlertUrl)\\r\\n\",\"size\":3,\"title\":\"Resolved Alerts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"10\",\"name\":\"group - 9\",\"styleSettings\":{\"maxWidth\":\"100\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Sources\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(DstIpAddr)\\r\\n| summarize count() by DstIpAddr\\r\\n| top 10 by count_ \",\"size\":3,\"title\":\"Top Targets\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(CategoryAccess)\\r\\n| where CategoryAccess !in ('None', 'Read')\\r\\n| project Destination=DstIpAddr, Source=SrcIpAddr, CategoryAccess\\r\\n\",\"size\":3,\"title\":\"Write and Execute Operations\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"34\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| order by TimeGenerated\\r\\n| project TimeGenerated, EventType, Target=DstIpAddr, Status=strcat(iff(ResolvedAs =~ 'Resolved', '✅ - Resolved', '❌ - Unresolved')), AlertUrl\",\"size\":0,\"title\":\"Latest Alerts\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"65\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventType has 'Login'\\r\\n| extend User = extract(@\\\"User\\\\s(\\\\S+)\\\\s\\\", 1, tostring(EventMessage))\\r\\n| sort by TimeGenerated desc \\r\\n| project TimeGenerated, User\",\"size\":0,\"title\":\"Latest logins to SRA\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"33\"}}],\"fromTemplateId\":\"sentinel-ClarotyWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
-                "version": "1.0",
-                "sourceId": "[variables('workspaceResourceId')]",
-                "category": "sentinel"
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId1')]",
+                  "title": "[Deprecated] Claroty via Legacy Agent",
+                  "publisher": "Claroty",
+                  "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
+                  "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "Claroty",
+                      "baseQuery": "ClarotyEvent"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "Top 10 Destinations",
+                      "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n    | summarize count() by DstIpAddr\n | top 10 by count_"
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "CommonSecurityLog (Claroty)",
+                      "lastDataReceivedQuery": "ClarotyEvent\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "ClarotyEvent\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+                      ]
+                    }
+                  ],
+                  "availability": {
+                    "status": 1,
+                    "isPreview": false
+                  },
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions are required.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "write": true,
+                          "read": true,
+                          "delete": true
+                        }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
+                      }
+                    ]
+                  },
+                  "instructionSteps": [
+                    {
+                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
+                    },
+                    {
+                      "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
+                      "innerSteps": [
+                        {
+                          "title": "1.1 Select or create a Linux machine",
+                          "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+                        },
+                        {
+                          "title": "1.2 Install the CEF collector on the Linux machine",
+                          "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
+                          "instructions": [
+                            {
+                              "parameters": {
+                                "fillWith": [
+                                  "WorkspaceId",
+                                  "PrimaryKey"
+                                ],
+                                "label": "Run the following command to install and apply the CEF collector:",
+                                "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
+                              },
+                              "type": "CopyableLabel"
+                            }
+                          ]
+                        }
+                      ],
+                      "title": "1. Linux Syslog agent configuration"
+                    },
+                    {
+                      "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
+                      "title": "2.  Configure Claroty to send logs using CEF"
+                    },
+                    {
+                      "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "fillWith": [
+                              "WorkspaceId"
+                            ],
+                            "label": "Run the following command to validate your connectivity:",
+                            "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
+                          },
+                          "type": "CopyableLabel"
+                        }
+                      ],
+                      "title": "3. Validate connection"
+                    },
+                    {
+                      "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+                      "title": "4. Secure your machine "
+                    }
+                  ]
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
               "properties": {
-                "description": "@{workbookKey=ClarotyWorkbook; logoFileName=Azure_Sentinel.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Claroty; templateRelativePath=ClarotyOverview.json; subtitle=; provider=Claroty}.description",
-                "parentId": "[variables('workbookId1')]",
-                "contentId": "[variables('_workbookContentId1')]",
-                "kind": "Workbook",
-                "version": "[variables('workbookVersion1')]",
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+                "contentId": "[variables('_dataConnectorContentId1')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion1')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -249,19 +367,6 @@
                   "email": "support@microsoft.com",
                   "tier": "Microsoft",
                   "link": "https://support.microsoft.com"
-                },
-                "dependencies": {
-                  "operator": "AND",
-                  "criteria": [
-                    {
-                      "contentId": "CommonSecurityLog",
-                      "kind": "DataType"
-                    },
-                    {
-                      "contentId": "Claroty",
-                      "kind": "DataConnector"
-                    }
-                  ]
                 }
               }
             }
@@ -272,129 +377,27 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_workbookContentId1')]",
-        "contentKind": "Workbook",
-        "displayName": "[parameters('workbook1-name')]",
-        "contentProductId": "[variables('_workbookcontentProductId1')]",
-        "id": "[variables('_workbookcontentProductId1')]",
-        "version": "[variables('workbookVersion1')]"
+        "contentId": "[variables('_dataConnectorContentId1')]",
+        "contentKind": "DataConnector",
+        "displayName": "[Deprecated] Claroty via Legacy Agent",
+        "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+        "id": "[variables('_dataConnectorcontentProductId1')]",
+        "version": "[variables('dataConnectorVersion1')]"
       }
     },
     {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('parserTemplateSpecName1')]",
-      "location": "[parameters('workspace-location')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
       "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+        "[variables('_dataConnectorId1')]"
       ],
-      "properties": {
-        "description": "ClarotyEvent Data Parser with template version 3.0.0",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('parserVersion1')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "name": "[variables('_parserName1')]",
-              "apiVersion": "2022-10-01",
-              "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "eTag": "*",
-                "displayName": "Claroty Data Parser",
-                "category": "Samples",
-                "functionAlias": "ClarotyEvent",
-                "query": "\nCommonSecurityLog\r\n| where DeviceVendor =~ 'Claroty'\r\n| extend EventVendor = 'Claroty'\r\n| extend EventProduct = 'Claroty'\r\n| extend EventSchemaVersion = 0.2\r\n| extend EventCount = 1\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n         DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n         DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\r\n         ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\r\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\r\n                     , DeviceCustomNumber2Label, DeviceCustomNumber2\r\n                     , DeviceCustomNumber3Label, DeviceCustomNumber3\r\n                     , DeviceCustomString1Label, DeviceCustomString1\r\n                     , DeviceCustomString2Label, DeviceCustomString2\r\n                     , DeviceCustomString3Label, DeviceCustomString3\r\n                     , DeviceCustomString4Label, DeviceCustomString4\r\n                     , DeviceCustomString5Label, DeviceCustomString5\r\n                     , DeviceCustomString6Label, DeviceCustomString6\r\n                     , DeviceCustomDate1Label, DeviceCustomDate1\r\n                     , DeviceCustomDate2Label, DeviceCustomDate2)\r\n| evaluate bag_unpack(packed)\r\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend packed2 = pack(cs7Label, cs7\r\n                     , cs8Label, cs8\r\n                     , cs9Label, cs9\r\n                     , cs10Label, cs10)\r\n| evaluate bag_unpack(packed2)\r\n| extend EventEndTime = todatetime(ReceiptTime),\r\n         cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\r\n| project-rename EventProductVersion=DeviceVersion\r\n                , EventSubType=cat\r\n                , EventOriginalType=DeviceEventClassID\r\n                , EventSeverity=LogSeverity\r\n                , EventMessage=Message\r\n                , DstPortNumber=DestinationPort\r\n                , DstIpAddr=DestinationIP\r\n                , DstDvcHostname=DestinationHostName\r\n                , DstUserName=DestinationUserName\r\n                , DvcIpAddr=DeviceAddress\r\n                , DvcHostname=DeviceName\r\n                , DstMacAddr=DestinationMACAddress\r\n                , NetworkApplicationProtocol=Protocol\r\n                , SrcPortNumber=SourcePort\r\n                , SrcIpAddr=SourceIP\r\n                , SrcMacAddr=SourceMACAddress\r\n                , EventId=ExternalID\r\n                , SrcDvcHostname=SourceHostName\r\n| extend EventType=Activity\r\n| project-away AdditionalExtensions\r\n            , Activity\r\n            , ReceiptTime\r\n            , DeviceVendor\r\n            , DeviceProduct\r\n            , DeviceCustomNumber1\r\n            , DeviceCustomNumber1Label\r\n            , DeviceCustomNumber2\r\n            , DeviceCustomNumber2Label\r\n            , DeviceCustomNumber3\r\n            , DeviceCustomNumber3Label\r\n            , DeviceCustomString1\r\n            , DeviceCustomString1Label\r\n            , DeviceCustomString2\r\n            , DeviceCustomString2Label\r\n            , DeviceCustomString3\r\n            , DeviceCustomString3Label\r\n            , DeviceCustomString4\r\n            , DeviceCustomString4Label\r\n            , DeviceCustomString5\r\n            , DeviceCustomString5Label\r\n            , DeviceCustomString6\r\n            , DeviceCustomString6Label\r\n            , cs7Label\r\n            , cs7\r\n            , cs8Label\r\n            , cs8\r\n            , cs9Label\r\n            , cs9\r\n            , cs10Label\r\n            , cs10",
-                "functionParameters": "",
-                "version": 1,
-                "tags": [
-                  {
-                    "name": "description",
-                    "value": "Claroty Data Parser"
-                  }
-                ]
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
-              "dependsOn": [
-                "[variables('_parserName1')]"
-              ],
-              "properties": {
-                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
-                "contentId": "[variables('_parserContentId1')]",
-                "kind": "Parser",
-                "version": "[variables('parserVersion1')]",
-                "source": {
-                  "name": "Claroty",
-                  "kind": "Solution",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "tier": "Microsoft",
-                  "link": "https://support.microsoft.com"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_parserContentId1')]",
-        "contentKind": "Parser",
-        "displayName": "Claroty Data Parser",
-        "contentProductId": "[variables('_parsercontentProductId1')]",
-        "id": "[variables('_parsercontentProductId1')]",
-        "version": "[variables('parserVersion1')]"
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
-      "apiVersion": "2022-10-01",
-      "name": "[variables('_parserName1')]",
-      "location": "[parameters('workspace-location')]",
-      "properties": {
-        "eTag": "*",
-        "displayName": "Claroty Data Parser",
-        "category": "Samples",
-        "functionAlias": "ClarotyEvent",
-        "query": "\nCommonSecurityLog\r\n| where DeviceVendor =~ 'Claroty'\r\n| extend EventVendor = 'Claroty'\r\n| extend EventProduct = 'Claroty'\r\n| extend EventSchemaVersion = 0.2\r\n| extend EventCount = 1\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n         DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n         DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\r\n         ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\r\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\r\n                     , DeviceCustomNumber2Label, DeviceCustomNumber2\r\n                     , DeviceCustomNumber3Label, DeviceCustomNumber3\r\n                     , DeviceCustomString1Label, DeviceCustomString1\r\n                     , DeviceCustomString2Label, DeviceCustomString2\r\n                     , DeviceCustomString3Label, DeviceCustomString3\r\n                     , DeviceCustomString4Label, DeviceCustomString4\r\n                     , DeviceCustomString5Label, DeviceCustomString5\r\n                     , DeviceCustomString6Label, DeviceCustomString6\r\n                     , DeviceCustomDate1Label, DeviceCustomDate1\r\n                     , DeviceCustomDate2Label, DeviceCustomDate2)\r\n| evaluate bag_unpack(packed)\r\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend packed2 = pack(cs7Label, cs7\r\n                     , cs8Label, cs8\r\n                     , cs9Label, cs9\r\n                     , cs10Label, cs10)\r\n| evaluate bag_unpack(packed2)\r\n| extend EventEndTime = todatetime(ReceiptTime),\r\n         cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\r\n| project-rename EventProductVersion=DeviceVersion\r\n                , EventSubType=cat\r\n                , EventOriginalType=DeviceEventClassID\r\n                , EventSeverity=LogSeverity\r\n                , EventMessage=Message\r\n                , DstPortNumber=DestinationPort\r\n                , DstIpAddr=DestinationIP\r\n                , DstDvcHostname=DestinationHostName\r\n                , DstUserName=DestinationUserName\r\n                , DvcIpAddr=DeviceAddress\r\n                , DvcHostname=DeviceName\r\n                , DstMacAddr=DestinationMACAddress\r\n                , NetworkApplicationProtocol=Protocol\r\n                , SrcPortNumber=SourcePort\r\n                , SrcIpAddr=SourceIP\r\n                , SrcMacAddr=SourceMACAddress\r\n                , EventId=ExternalID\r\n                , SrcDvcHostname=SourceHostName\r\n| extend EventType=Activity\r\n| project-away AdditionalExtensions\r\n            , Activity\r\n            , ReceiptTime\r\n            , DeviceVendor\r\n            , DeviceProduct\r\n            , DeviceCustomNumber1\r\n            , DeviceCustomNumber1Label\r\n            , DeviceCustomNumber2\r\n            , DeviceCustomNumber2Label\r\n            , DeviceCustomNumber3\r\n            , DeviceCustomNumber3Label\r\n            , DeviceCustomString1\r\n            , DeviceCustomString1Label\r\n            , DeviceCustomString2\r\n            , DeviceCustomString2Label\r\n            , DeviceCustomString3\r\n            , DeviceCustomString3Label\r\n            , DeviceCustomString4\r\n            , DeviceCustomString4Label\r\n            , DeviceCustomString5\r\n            , DeviceCustomString5Label\r\n            , DeviceCustomString6\r\n            , DeviceCustomString6Label\r\n            , cs7Label\r\n            , cs7\r\n            , cs8Label\r\n            , cs8\r\n            , cs9Label\r\n            , cs9\r\n            , cs10Label\r\n            , cs10",
-        "functionParameters": "",
-        "version": 1,
-        "tags": [
-          {
-            "name": "description",
-            "value": "Claroty Data Parser"
-          }
-        ]
-      }
-    },
-    {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2022-01-01-preview",
       "location": "[parameters('workspace-location')]",
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
-      "dependsOn": [
-        "[variables('_parserId1')]"
-      ],
       "properties": {
-        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
-        "contentId": "[variables('_parserContentId1')]",
-        "kind": "Parser",
-        "version": "[variables('parserVersion1')]",
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+        "contentId": "[variables('_dataConnectorContentId1')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion1')]",
         "source": {
           "kind": "Solution",
           "name": "Claroty",
@@ -413,143 +416,278 @@
       }
     },
     {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
-      "name": "[variables('huntingQueryTemplateSpecName1')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
       "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
+      "kind": "GenericUI",
       "properties": {
-        "description": "ClarotyBaselineDeviation_HuntingQueries Hunting Query with template version 3.0.0",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion1')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
+        "connectorUiConfig": {
+          "title": "[Deprecated] Claroty via Legacy Agent",
+          "publisher": "Claroty",
+          "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
+          "graphQueries": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2022-10-01",
-              "name": "Claroty_Hunting_Query_1",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "eTag": "*",
-                "displayName": "Claroty - Baseline deviation",
-                "category": "Hunting Queries",
-                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has 'Baseline Deviation' or EventType has 'Baseline Deviation'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
-                "version": 2,
-                "tags": [
-                  {
-                    "name": "description",
-                    "value": "Query searches for baseline deviation events."
-                  },
-                  {
-                    "name": "tactics",
-                    "value": "InitialAccess"
-                  },
-                  {
-                    "name": "techniques",
-                    "value": "T1190"
-                  }
-                ]
+              "metricName": "Total data received",
+              "legend": "Claroty",
+              "baseQuery": "ClarotyEvent"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "CommonSecurityLog (Claroty)",
+              "lastDataReceivedQuery": "ClarotyEvent\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "ClarotyEvent\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+              ]
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "Top 10 Destinations",
+              "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n    | summarize count() by DstIpAddr\n | top 10 by count_"
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": false
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "write": true,
+                  "read": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
               }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
-              "properties": {
-                "description": "Claroty Hunting Query 1",
-                "parentId": "[variables('huntingQueryId1')]",
-                "contentId": "[variables('_huntingQuerycontentId1')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion1')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Claroty",
-                  "sourceId": "[variables('_solutionId')]"
+              "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
+              "innerSteps": [
+                {
+                  "title": "1.1 Select or create a Linux machine",
+                  "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
                 },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "tier": "Microsoft",
-                  "link": "https://support.microsoft.com"
+                {
+                  "title": "1.2 Install the CEF collector on the Linux machine",
+                  "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
+                  "instructions": [
+                    {
+                      "parameters": {
+                        "fillWith": [
+                          "WorkspaceId",
+                          "PrimaryKey"
+                        ],
+                        "label": "Run the following command to install and apply the CEF collector:",
+                        "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
+                      },
+                      "type": "CopyableLabel"
+                    }
+                  ]
                 }
-              }
+              ],
+              "title": "1. Linux Syslog agent configuration"
+            },
+            {
+              "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
+              "title": "2.  Configure Claroty to send logs using CEF"
+            },
+            {
+              "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
+              "instructions": [
+                {
+                  "parameters": {
+                    "fillWith": [
+                      "WorkspaceId"
+                    ],
+                    "label": "Run the following command to validate your connectivity:",
+                    "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
+                  },
+                  "type": "CopyableLabel"
+                }
+              ],
+              "title": "3. Validate connection"
+            },
+            {
+              "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+              "title": "4. Secure your machine "
             }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_huntingQuerycontentId1')]",
-        "contentKind": "HuntingQuery",
-        "displayName": "Claroty - Baseline deviation",
-        "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
-        "id": "[variables('_huntingQuerycontentProductId1')]",
-        "version": "[variables('huntingQueryVersion1')]"
+          ],
+          "id": "[variables('_uiConfigId1')]",
+          "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
+        }
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('huntingQueryTemplateSpecName2')]",
+      "name": "[variables('dataConnectorTemplateSpecName2')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyConflictAssets_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "Claroty data connector with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion2')]",
+          "contentVersion": "[variables('dataConnectorVersion2')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2022-10-01",
-              "name": "Claroty_Hunting_Query_2",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
               "location": "[parameters('workspace-location')]",
+              "kind": "GenericUI",
               "properties": {
-                "eTag": "*",
-                "displayName": "Claroty - Conflict assets",
-                "category": "Hunting Queries",
-                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has 'New Conflict Asset' or EventType has 'New Conflict Asset'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
-                "version": 2,
-                "tags": [
-                  {
-                    "name": "description",
-                    "value": "Query searches for conflicting assets."
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId2')]",
+                  "title": "[Recommended] Claroty via AMA",
+                  "publisher": "Claroty",
+                  "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
+                  "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "Claroty",
+                      "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "Top 10 Destinations",
+                      "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n    | summarize count() by DstIpAddr\n | top 10 by count_"
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "CommonSecurityLog (Claroty)",
+                      "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+                      ]
+                    }
+                  ],
+                  "availability": {
+                    "status": 1,
+                    "isPreview": false
                   },
-                  {
-                    "name": "tactics",
-                    "value": "InitialAccess"
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions are required.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "write": true,
+                          "read": true,
+                          "delete": true
+                        }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
+                      }
+                    ],
+                    "customs": [
+                      {
+                        "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      },
+                      {
+                        "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+                      }
+                    ]
                   },
-                  {
-                    "name": "techniques",
-                    "value": "T1190"
-                  }
-                ]
+                  "instructionSteps": [
+                    {
+                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "title": "1. Kindly follow the steps to configure the data connector",
+                            "instructionSteps": [
+                              {
+                                "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+                                "instructions": []
+                              },
+                              {
+                                "title": "Step B. Configure Claroty to send logs using CEF",
+                                "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
+                                "instructions": []
+                              },
+                              {
+                                "title": "Step C. Validate connection",
+                                "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+                                "instructions": [
+                                  {
+                                    "parameters": {
+                                      "label": "Run the following command to validate your connectivity:",
+                                      "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+                                    },
+                                    "type": "CopyableLabel"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ]
+                    },
+                    {
+                      "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+                      "title": "2. Secure your machine "
+                    }
+                  ]
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
               "properties": {
-                "description": "Claroty Hunting Query 2",
-                "parentId": "[variables('huntingQueryId2')]",
-                "contentId": "[variables('_huntingQuerycontentId2')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion2')]",
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+                "contentId": "[variables('_dataConnectorContentId2')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion2')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -574,138 +712,198 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_huntingQuerycontentId2')]",
-        "contentKind": "HuntingQuery",
-        "displayName": "Claroty - Conflict assets",
-        "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
-        "id": "[variables('_huntingQuerycontentProductId2')]",
-        "version": "[variables('huntingQueryVersion2')]"
+        "contentId": "[variables('_dataConnectorContentId2')]",
+        "contentKind": "DataConnector",
+        "displayName": "[Recommended] Claroty via AMA",
+        "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
+        "id": "[variables('_dataConnectorcontentProductId2')]",
+        "version": "[variables('dataConnectorVersion2')]"
       }
     },
     {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('huntingQueryTemplateSpecName3')]",
-      "location": "[parameters('workspace-location')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
       "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+        "[variables('_dataConnectorId2')]"
       ],
+      "location": "[parameters('workspace-location')]",
       "properties": {
-        "description": "ClarotyCriticalEvents_HuntingQueries Hunting Query with template version 3.0.0",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion3')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+        "contentId": "[variables('_dataConnectorContentId2')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion2')]",
+        "source": {
+          "kind": "Solution",
+          "name": "Claroty",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Microsoft Corporation",
+          "email": "support@microsoft.com",
+          "tier": "Microsoft",
+          "link": "https://support.microsoft.com"
+        }
+      }
+    },
+    {
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "location": "[parameters('workspace-location')]",
+      "kind": "GenericUI",
+      "properties": {
+        "connectorUiConfig": {
+          "title": "[Recommended] Claroty via AMA",
+          "publisher": "Claroty",
+          "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
+          "graphQueries": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2022-10-01",
-              "name": "Claroty_Hunting_Query_3",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "eTag": "*",
-                "displayName": "Claroty - Critical Events",
-                "category": "Hunting Queries",
-                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity == '5'\n| extend IPCustomEntity = DstIpAddr\n",
-                "version": 2,
-                "tags": [
-                  {
-                    "name": "description",
-                    "value": "Query searches for critical severity events."
-                  },
-                  {
-                    "name": "tactics",
-                    "value": "InitialAccess"
-                  },
-                  {
-                    "name": "techniques",
-                    "value": "T1190"
-                  }
-                ]
-              }
-            },
+              "metricName": "Total data received",
+              "legend": "Claroty",
+              "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+            }
+          ],
+          "dataTypes": [
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
-              "properties": {
-                "description": "Claroty Hunting Query 3",
-                "parentId": "[variables('huntingQueryId3')]",
-                "contentId": "[variables('_huntingQuerycontentId3')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion3')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Claroty",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Microsoft",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Microsoft Corporation",
-                  "email": "support@microsoft.com",
-                  "tier": "Microsoft",
-                  "link": "https://support.microsoft.com"
+              "name": "CommonSecurityLog (Claroty)",
+              "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+              ]
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "Top 10 Destinations",
+              "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n    | summarize count() by DstIpAddr\n | top 10 by count_"
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": false
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "write": true,
+                  "read": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
                 }
               }
+            ],
+            "customs": [
+              {
+                "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+              },
+              {
+                "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+              }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+              "instructions": [
+                {
+                  "parameters": {
+                    "title": "1. Kindly follow the steps to configure the data connector",
+                    "instructionSteps": [
+                      {
+                        "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+                        "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+                        "instructions": []
+                      },
+                      {
+                        "title": "Step B. Configure Claroty to send logs using CEF",
+                        "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
+                        "instructions": []
+                      },
+                      {
+                        "title": "Step C. Validate connection",
+                        "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+                        "instructions": [
+                          {
+                            "parameters": {
+                              "label": "Run the following command to validate your connectivity:",
+                              "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+                            },
+                            "type": "CopyableLabel"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ]
+            },
+            {
+              "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+              "title": "2. Secure your machine "
             }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_huntingQuerycontentId3')]",
-        "contentKind": "HuntingQuery",
-        "displayName": "Claroty - Critical Events",
-        "contentProductId": "[variables('_huntingQuerycontentProductId3')]",
-        "id": "[variables('_huntingQuerycontentProductId3')]",
-        "version": "[variables('huntingQueryVersion3')]"
+          ],
+          "id": "[variables('_uiConfigId2')]",
+          "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
+        }
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('huntingQueryTemplateSpecName4')]",
+      "name": "[variables('parserTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyPLCLogins_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ClarotyEvent Data Parser with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion4')]",
+          "contentVersion": "[variables('parserVersion1')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
+              "name": "[variables('_parserName1')]",
               "apiVersion": "2022-10-01",
-              "name": "Claroty_Hunting_Query_4",
+              "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
               "location": "[parameters('workspace-location')]",
               "properties": {
                 "eTag": "*",
-                "displayName": "Claroty - PLC logins",
-                "category": "Hunting Queries",
-                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType =~ 'Alert'\n| where EventType has 'Login'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+                "displayName": "Claroty Data Parser",
+                "category": "Microsoft Sentinel Parser",
+                "functionAlias": "ClarotyEvent",
+                "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Claroty'\n| extend EventVendor = 'Claroty'\n| extend EventProduct = 'Claroty'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n         DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n         DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n         ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n                     , DeviceCustomNumber2Label, DeviceCustomNumber2\n                     , DeviceCustomNumber3Label, DeviceCustomNumber3\n                     , DeviceCustomString1Label, DeviceCustomString1\n                     , DeviceCustomString2Label, DeviceCustomString2\n                     , DeviceCustomString3Label, DeviceCustomString3\n                     , DeviceCustomString4Label, DeviceCustomString4\n                     , DeviceCustomString5Label, DeviceCustomString5\n                     , DeviceCustomString6Label, DeviceCustomString6\n                     , DeviceCustomDate1Label, DeviceCustomDate1\n                     , DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\n| extend packed2 = pack(cs7Label, cs7\n                     , cs8Label, cs8\n                     , cs9Label, cs9\n                     , cs10Label, cs10)\n| evaluate bag_unpack(packed2)\n| extend EventEndTime = todatetime(ReceiptTime),\n         cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\n| project-rename EventProductVersion=DeviceVersion\n                , EventSubType=cat\n                , EventOriginalType=DeviceEventClassID\n                , EventSeverity=LogSeverity\n                , EventMessage=Message\n                , DstPortNumber=DestinationPort\n                , DstIpAddr=DestinationIP\n                , DstDvcHostname=DestinationHostName\n                , DstUserName=DestinationUserName\n                , DvcIpAddr=DeviceAddress\n                , DvcHostname=DeviceName\n                , DstMacAddr=DestinationMACAddress\n                , NetworkApplicationProtocol=Protocol\n                , SrcPortNumber=SourcePort\n                , SrcIpAddr=SourceIP\n                , SrcMacAddr=SourceMACAddress\n                , EventId=ExternalID\n                , SrcDvcHostname=SourceHostName\n| extend EventType=Activity\n| project-away AdditionalExtensions\n            , Activity\n            , ReceiptTime\n            , DeviceVendor\n            , DeviceProduct\n            , DeviceCustomNumber1\n            , DeviceCustomNumber1Label\n            , DeviceCustomNumber2\n            , DeviceCustomNumber2Label\n            , DeviceCustomNumber3\n            , DeviceCustomNumber3Label\n            , DeviceCustomString1\n            , DeviceCustomString1Label\n            , DeviceCustomString2\n            , DeviceCustomString2Label\n            , DeviceCustomString3\n            , DeviceCustomString3Label\n            , DeviceCustomString4\n            , DeviceCustomString4Label\n            , DeviceCustomString5\n            , DeviceCustomString5Label\n            , DeviceCustomString6\n            , DeviceCustomString6Label\n            , cs7Label\n            , cs7\n            , cs8Label\n            , cs8\n            , cs9Label\n            , cs9\n            , cs10Label\n            , cs10\n",
+                "functionParameters": "",
                 "version": 2,
                 "tags": [
                   {
                     "name": "description",
-                    "value": "Query searches for PLC login security alerts."
-                  },
-                  {
-                    "name": "tactics",
-                    "value": "InitialAccess"
-                  },
-                  {
-                    "name": "techniques",
-                    "value": "T1190"
+                    "value": ""
                   }
                 ]
               }
@@ -713,16 +911,18 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+              "dependsOn": [
+                "[variables('_parserName1')]"
+              ],
               "properties": {
-                "description": "Claroty Hunting Query 4",
-                "parentId": "[variables('huntingQueryId4')]",
-                "contentId": "[variables('_huntingQuerycontentId4')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion4')]",
+                "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+                "contentId": "[variables('_parserContentId1')]",
+                "kind": "Parser",
+                "version": "[variables('parserVersion1')]",
                 "source": {
-                  "kind": "Solution",
                   "name": "Claroty",
+                  "kind": "Solution",
                   "sourceId": "[variables('_solutionId')]"
                 },
                 "author": {
@@ -744,67 +944,108 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_huntingQuerycontentId4')]",
-        "contentKind": "HuntingQuery",
-        "displayName": "Claroty - PLC logins",
-        "contentProductId": "[variables('_huntingQuerycontentProductId4')]",
-        "id": "[variables('_huntingQuerycontentProductId4')]",
-        "version": "[variables('huntingQueryVersion4')]"
+        "contentId": "[variables('_parserContentId1')]",
+        "contentKind": "Parser",
+        "displayName": "Claroty Data Parser",
+        "contentProductId": "[variables('_parsercontentProductId1')]",
+        "id": "[variables('_parsercontentProductId1')]",
+        "version": "[variables('parserVersion1')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+      "apiVersion": "2022-10-01",
+      "name": "[variables('_parserName1')]",
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "eTag": "*",
+        "displayName": "Claroty Data Parser",
+        "category": "Microsoft Sentinel Parser",
+        "functionAlias": "ClarotyEvent",
+        "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Claroty'\n| extend EventVendor = 'Claroty'\n| extend EventProduct = 'Claroty'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n         DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n         DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n         ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n                     , DeviceCustomNumber2Label, DeviceCustomNumber2\n                     , DeviceCustomNumber3Label, DeviceCustomNumber3\n                     , DeviceCustomString1Label, DeviceCustomString1\n                     , DeviceCustomString2Label, DeviceCustomString2\n                     , DeviceCustomString3Label, DeviceCustomString3\n                     , DeviceCustomString4Label, DeviceCustomString4\n                     , DeviceCustomString5Label, DeviceCustomString5\n                     , DeviceCustomString6Label, DeviceCustomString6\n                     , DeviceCustomDate1Label, DeviceCustomDate1\n                     , DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\n| extend packed2 = pack(cs7Label, cs7\n                     , cs8Label, cs8\n                     , cs9Label, cs9\n                     , cs10Label, cs10)\n| evaluate bag_unpack(packed2)\n| extend EventEndTime = todatetime(ReceiptTime),\n         cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\n| project-rename EventProductVersion=DeviceVersion\n                , EventSubType=cat\n                , EventOriginalType=DeviceEventClassID\n                , EventSeverity=LogSeverity\n                , EventMessage=Message\n                , DstPortNumber=DestinationPort\n                , DstIpAddr=DestinationIP\n                , DstDvcHostname=DestinationHostName\n                , DstUserName=DestinationUserName\n                , DvcIpAddr=DeviceAddress\n                , DvcHostname=DeviceName\n                , DstMacAddr=DestinationMACAddress\n                , NetworkApplicationProtocol=Protocol\n                , SrcPortNumber=SourcePort\n                , SrcIpAddr=SourceIP\n                , SrcMacAddr=SourceMACAddress\n                , EventId=ExternalID\n                , SrcDvcHostname=SourceHostName\n| extend EventType=Activity\n| project-away AdditionalExtensions\n            , Activity\n            , ReceiptTime\n            , DeviceVendor\n            , DeviceProduct\n            , DeviceCustomNumber1\n            , DeviceCustomNumber1Label\n            , DeviceCustomNumber2\n            , DeviceCustomNumber2Label\n            , DeviceCustomNumber3\n            , DeviceCustomNumber3Label\n            , DeviceCustomString1\n            , DeviceCustomString1Label\n            , DeviceCustomString2\n            , DeviceCustomString2Label\n            , DeviceCustomString3\n            , DeviceCustomString3Label\n            , DeviceCustomString4\n            , DeviceCustomString4Label\n            , DeviceCustomString5\n            , DeviceCustomString5Label\n            , DeviceCustomString6\n            , DeviceCustomString6Label\n            , cs7Label\n            , cs7\n            , cs8Label\n            , cs8\n            , cs9Label\n            , cs9\n            , cs10Label\n            , cs10\n",
+        "functionParameters": "",
+        "version": 2,
+        "tags": [
+          {
+            "name": "description",
+            "value": ""
+          }
+        ]
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2022-01-01-preview",
+      "location": "[parameters('workspace-location')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+      "dependsOn": [
+        "[variables('_parserId1')]"
+      ],
+      "properties": {
+        "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+        "contentId": "[variables('_parserContentId1')]",
+        "kind": "Parser",
+        "version": "[variables('parserVersion1')]",
+        "source": {
+          "kind": "Solution",
+          "name": "Claroty",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Microsoft",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Microsoft Corporation",
+          "email": "support@microsoft.com",
+          "tier": "Microsoft",
+          "link": "https://support.microsoft.com"
+        }
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('huntingQueryTemplateSpecName5')]",
+      "name": "[variables('workbookTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotySRAFailedLogins_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ClarotyOverviewWorkbook Workbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion5')]",
+          "contentVersion": "[variables('workbookVersion1')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2022-10-01",
-              "name": "Claroty_Hunting_Query_5",
+              "type": "Microsoft.Insights/workbooks",
+              "name": "[variables('workbookContentId1')]",
               "location": "[parameters('workspace-location')]",
+              "kind": "shared",
+              "apiVersion": "2021-08-01",
+              "metadata": {
+                "description": "Sets the time name for analysis"
+              },
               "properties": {
-                "eTag": "*",
-                "displayName": "Claroty - User failed logins",
-                "category": "Hunting Queries",
-                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername\n| extend AccountCustomEntity = SrcUsername\n",
-                "version": 2,
-                "tags": [
-                  {
-                    "name": "description",
-                    "value": "Query searches for login failure events."
-                  },
-                  {
-                    "name": "tactics",
-                    "value": "InitialAccess"
-                  },
-                  {
-                    "name": "techniques",
-                    "value": "T1190"
-                  }
-                ]
+                "displayName": "[parameters('workbook1-name')]",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **ClarotyEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-claroty-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"green\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(EventType)\\r\\n| summarize count() by EventType\\r\\n| join kind = inner (ClarotyEvent\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType)\\r\\n on EventType\\r\\n| project-away EventType1, TimeGenerated\",\"size\":3,\"title\":\"Event types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"30\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(DstIpAddr)\\r\\n| summarize dcount(DstIpAddr)\",\"size\":3,\"title\":\"Total Devices\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| summarize dcount(AlertUrl)\",\"size\":3,\"title\":\"Total Alerts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| where ResolvedAs =~ 'Unresolved'\\r\\n| project-rename AlertTime=EventEndTime\\r\\n| join (ClarotyEvent\\r\\n    | where EventOriginalType =~ 'Alert'\\r\\n    | where ResolvedAs =~ 'Resolved'\\r\\n    | project-rename ResolvedTime=EventEndTime) on AlertUrl\\r\\n| where datetime_diff('day',ResolvedTime,AlertTime) > 0 or datetime_diff('hour',ResolvedTime,AlertTime) > 0 or datetime_diff('minute',ResolvedTime,AlertTime) > 0 or datetime_diff('second',ResolvedTime,AlertTime) > 0\\r\\n| summarize dcount(AlertUrl)\\r\\n\",\"size\":3,\"title\":\"Resolved Alerts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"10\",\"name\":\"group - 9\",\"styleSettings\":{\"maxWidth\":\"100\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Sources\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(DstIpAddr)\\r\\n| summarize count() by DstIpAddr\\r\\n| top 10 by count_ \",\"size\":3,\"title\":\"Top Targets\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(CategoryAccess)\\r\\n| where CategoryAccess !in ('None', 'Read')\\r\\n| project Destination=DstIpAddr, Source=SrcIpAddr, CategoryAccess\\r\\n\",\"size\":3,\"title\":\"Write and Execute Operations\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"34\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| order by TimeGenerated\\r\\n| project TimeGenerated, EventType, Target=DstIpAddr, Status=strcat(iff(ResolvedAs =~ 'Resolved', '✅ - Resolved', '❌ - Unresolved')), AlertUrl\",\"size\":0,\"title\":\"Latest Alerts\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"65\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventType has 'Login'\\r\\n| extend User = extract(@\\\"User\\\\s(\\\\S+)\\\\s\\\", 1, tostring(EventMessage))\\r\\n| sort by TimeGenerated desc \\r\\n| project TimeGenerated, User\",\"size\":0,\"title\":\"Latest logins to SRA\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"33\"}}],\"fromTemplateId\":\"sentinel-ClarotyWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "version": "1.0",
+                "sourceId": "[variables('workspaceResourceId')]",
+                "category": "sentinel"
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
               "properties": {
-                "description": "Claroty Hunting Query 5",
-                "parentId": "[variables('huntingQueryId5')]",
-                "contentId": "[variables('_huntingQuerycontentId5')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion5')]",
+                "description": "@{workbookKey=ClarotyWorkbook; logoFileName=Azure_Sentinel.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Claroty; templateRelativePath=ClarotyOverview.json; subtitle=; provider=Claroty}.description",
+                "parentId": "[variables('workbookId1')]",
+                "contentId": "[variables('_workbookContentId1')]",
+                "kind": "Workbook",
+                "version": "[variables('workbookVersion1')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -819,63 +1060,105 @@
                   "email": "support@microsoft.com",
                   "tier": "Microsoft",
                   "link": "https://support.microsoft.com"
-                }
-              }
-            }
-          ]
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
+                },
+                "dependencies": {
+                  "operator": "AND",
+                  "criteria": [
+                    {
+                      "contentId": "CommonSecurityLog",
+                      "kind": "DataType"
+                    },
+                    {
+                      "contentId": "Claroty",
+                      "kind": "DataConnector"
+                    },
+                    {
+                      "contentId": "ClarotyAma",
+                      "kind": "DataConnector"
+                    }
+                  ]
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_huntingQuerycontentId5')]",
-        "contentKind": "HuntingQuery",
-        "displayName": "Claroty - User failed logins",
-        "contentProductId": "[variables('_huntingQuerycontentProductId5')]",
-        "id": "[variables('_huntingQuerycontentProductId5')]",
-        "version": "[variables('huntingQueryVersion5')]"
+        "contentId": "[variables('_workbookContentId1')]",
+        "contentKind": "Workbook",
+        "displayName": "[parameters('workbook1-name')]",
+        "contentProductId": "[variables('_workbookcontentProductId1')]",
+        "id": "[variables('_workbookcontentProductId1')]",
+        "version": "[variables('workbookVersion1')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('huntingQueryTemplateSpecName6')]",
+      "name": "[variables('analyticRuleTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyScanSources_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ClarotyAssetDown_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion6')]",
+          "contentVersion": "[variables('analyticRuleVersion1')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2022-10-01",
-              "name": "Claroty_Hunting_Query_6",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId1')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "eTag": "*",
-                "displayName": "Claroty - Network scan sources",
-                "category": "Hunting Queries",
-                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has_any ('Network Scan', 'TCP Scan', 'UDP Scan') or EventType has_any ('Network Scan', 'TCP Scan', 'UDP Scan')\n| project TimeGenerated, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n",
-                "version": 2,
-                "tags": [
+                "description": "Triggers asset is down.",
+                "displayName": "Claroty - Asset Down",
+                "enabled": false,
+                "query": "ClarotyEvent\n| where EventOriginalType has 'Asset Down' or EventType has 'Asset Down'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
                   {
-                    "name": "description",
-                    "value": "Query searches for sources of network scans."
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "Claroty"
                   },
                   {
-                    "name": "tactics",
-                    "value": "InitialAccess"
-                  },
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "ClarotyAma"
+                  }
+                ],
+                "tactics": [
+                  "Impact"
+                ],
+                "techniques": [
+                  "T1529"
+                ],
+                "entityMappings": [
                   {
-                    "name": "techniques",
-                    "value": "T1190"
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "IPCustomEntity"
+                      }
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -883,13 +1166,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
               "properties": {
-                "description": "Claroty Hunting Query 6",
-                "parentId": "[variables('huntingQueryId6')]",
-                "contentId": "[variables('_huntingQuerycontentId6')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion6')]",
+                "description": "Claroty Analytics Rule 1",
+                "parentId": "[variables('analyticRuleId1')]",
+                "contentId": "[variables('_analyticRulecontentId1')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion1')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -914,53 +1197,78 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_huntingQuerycontentId6')]",
-        "contentKind": "HuntingQuery",
-        "displayName": "Claroty - Network scan sources",
-        "contentProductId": "[variables('_huntingQuerycontentProductId6')]",
-        "id": "[variables('_huntingQuerycontentProductId6')]",
-        "version": "[variables('huntingQueryVersion6')]"
+        "contentId": "[variables('_analyticRulecontentId1')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Claroty - Asset Down",
+        "contentProductId": "[variables('_analyticRulecontentProductId1')]",
+        "id": "[variables('_analyticRulecontentProductId1')]",
+        "version": "[variables('analyticRuleVersion1')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('huntingQueryTemplateSpecName7')]",
+      "name": "[variables('analyticRuleTemplateSpecName2')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyScantargets_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ClarotyCriticalBaselineDeviation_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion7')]",
+          "contentVersion": "[variables('analyticRuleVersion2')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2022-10-01",
-              "name": "Claroty_Hunting_Query_7",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId2')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "eTag": "*",
-                "displayName": "Claroty - Network scan targets",
-                "category": "Hunting Queries",
-                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has_any ('Network Scan', 'TCP Scan', 'UDP Scan') or EventType has_any ('Network Scan', 'TCP Scan', 'UDP Scan')\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
-                "version": 2,
-                "tags": [
+                "description": "Detects when critical deviation from baseline occurs.",
+                "displayName": "Claroty - Critical baseline deviation",
+                "enabled": false,
+                "query": "ClarotyEvent\n| where EventOriginalType has 'Baseline Deviation' or EventType has 'Baseline Deviation'\n| where EventSeverity == '5'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
                   {
-                    "name": "description",
-                    "value": "Query searches for targets of network scans."
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "Claroty"
                   },
                   {
-                    "name": "tactics",
-                    "value": "InitialAccess"
-                  },
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "ClarotyAma"
+                  }
+                ],
+                "tactics": [
+                  "Impact"
+                ],
+                "techniques": [
+                  "T1529"
+                ],
+                "entityMappings": [
                   {
-                    "name": "techniques",
-                    "value": "T1190"
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "IPCustomEntity"
+                      }
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -968,13 +1276,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
               "properties": {
-                "description": "Claroty Hunting Query 7",
-                "parentId": "[variables('huntingQueryId7')]",
-                "contentId": "[variables('_huntingQuerycontentId7')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion7')]",
+                "description": "Claroty Analytics Rule 2",
+                "parentId": "[variables('analyticRuleId2')]",
+                "contentId": "[variables('_analyticRulecontentId2')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion2')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -999,67 +1307,93 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_huntingQuerycontentId7')]",
-        "contentKind": "HuntingQuery",
-        "displayName": "Claroty - Network scan targets",
-        "contentProductId": "[variables('_huntingQuerycontentProductId7')]",
-        "id": "[variables('_huntingQuerycontentProductId7')]",
-        "version": "[variables('huntingQueryVersion7')]"
+        "contentId": "[variables('_analyticRulecontentId2')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Claroty - Critical baseline deviation",
+        "contentProductId": "[variables('_analyticRulecontentProductId2')]",
+        "id": "[variables('_analyticRulecontentProductId2')]",
+        "version": "[variables('analyticRuleVersion2')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('huntingQueryTemplateSpecName8')]",
+      "name": "[variables('analyticRuleTemplateSpecName3')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyUnapprovedAccess_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ClarotyLoginToUncommonSite_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion8')]",
+          "contentVersion": "[variables('analyticRuleVersion3')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2022-10-01",
-              "name": "Claroty_Hunting_Query_8",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId3')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "eTag": "*",
-                "displayName": "Claroty - Unapproved access",
-                "category": "Hunting Queries",
-                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity =~ 'Unapproved'\n| where isnotempty(CategoryAccess)\n| extend IPCustomEntity = DstIpAddr\n",
-                "version": 2,
-                "tags": [
-                  {
-                    "name": "description",
-                    "value": "Query searches for unapproved access events."
-                  },
+                "description": "Detects user login to uncommon location.",
+                "displayName": "Claroty - Login to uncommon location",
+                "enabled": false,
+                "query": "let usr_sites = ClarotyEvent\n| where TimeGenerated > ago(14d)\n| where EventType has 'Login to SRA succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\slogged', 1, EventMessage)\n| summarize all_loc = makeset(tostring(Site)) by SrcUsername\n| extend k = 1;\nClarotyEvent\n| where EventType has 'Login to SRA succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\slogged', 1, EventMessage)\n| extend k = 1\n| join kind=innerunique (usr_sites) on k\n| where all_loc !contains Site\n| extend SrcIpAddr\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "P14D",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
                   {
-                    "name": "tactics",
-                    "value": "InitialAccess"
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "Claroty"
                   },
                   {
-                    "name": "techniques",
-                    "value": "T1190"
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "ClarotyAma"
                   }
-                ]
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
-              "properties": {
-                "description": "Claroty Hunting Query 8",
-                "parentId": "[variables('huntingQueryId8')]",
-                "contentId": "[variables('_huntingQuerycontentId8')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion8')]",
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1190",
+                  "T1133"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "SrcIpAddr"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+              "properties": {
+                "description": "Claroty Analytics Rule 3",
+                "parentId": "[variables('analyticRuleId3')]",
+                "contentId": "[variables('_analyticRulecontentId3')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion3')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -1084,53 +1418,79 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_huntingQuerycontentId8')]",
-        "contentKind": "HuntingQuery",
-        "displayName": "Claroty - Unapproved access",
-        "contentProductId": "[variables('_huntingQuerycontentProductId8')]",
-        "id": "[variables('_huntingQuerycontentProductId8')]",
-        "version": "[variables('huntingQueryVersion8')]"
+        "contentId": "[variables('_analyticRulecontentId3')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Claroty - Login to uncommon location",
+        "contentProductId": "[variables('_analyticRulecontentProductId3')]",
+        "id": "[variables('_analyticRulecontentProductId3')]",
+        "version": "[variables('analyticRuleVersion3')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('huntingQueryTemplateSpecName9')]",
+      "name": "[variables('analyticRuleTemplateSpecName4')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyUnresolvedAlerts_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ClarotyMultipleFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion9')]",
+          "contentVersion": "[variables('analyticRuleVersion4')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2022-10-01",
-              "name": "Claroty_Hunting_Query_9",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId4')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "eTag": "*",
-                "displayName": "Claroty - Unresolved alerts",
-                "category": "Hunting Queries",
-                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType =~ 'Alert'\n| where ResolvedAs =~ 'Unresolved'\n| extend IPCustomEntity = DstIpAddr\n",
-                "version": 2,
-                "tags": [
+                "description": "Detects multiple failed logins by same user.",
+                "displayName": "Claroty - Multiple failed logins by user",
+                "enabled": false,
+                "query": "let threshold = 5;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend AccountCustomEntity = SrcUsername\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
                   {
-                    "name": "description",
-                    "value": "Query searches for alerts with unresolved status."
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "Claroty"
                   },
                   {
-                    "name": "tactics",
-                    "value": "InitialAccess"
-                  },
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "ClarotyAma"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1190",
+                  "T1133"
+                ],
+                "entityMappings": [
                   {
-                    "name": "techniques",
-                    "value": "T1190"
+                    "fieldMappings": [
+                      {
+                        "identifier": "Name",
+                        "columnName": "AccountCustomEntity"
+                      }
+                    ],
+                    "entityType": "Account"
                   }
                 ]
               }
@@ -1138,13 +1498,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
               "properties": {
-                "description": "Claroty Hunting Query 9",
-                "parentId": "[variables('huntingQueryId9')]",
-                "contentId": "[variables('_huntingQuerycontentId9')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion9')]",
+                "description": "Claroty Analytics Rule 4",
+                "parentId": "[variables('analyticRuleId4')]",
+                "contentId": "[variables('_analyticRulecontentId4')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion4')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -1169,53 +1529,79 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_huntingQuerycontentId9')]",
-        "contentKind": "HuntingQuery",
-        "displayName": "Claroty - Unresolved alerts",
-        "contentProductId": "[variables('_huntingQuerycontentProductId9')]",
-        "id": "[variables('_huntingQuerycontentProductId9')]",
-        "version": "[variables('huntingQueryVersion9')]"
+        "contentId": "[variables('_analyticRulecontentId4')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Claroty - Multiple failed logins by user",
+        "contentProductId": "[variables('_analyticRulecontentProductId4')]",
+        "id": "[variables('_analyticRulecontentProductId4')]",
+        "version": "[variables('analyticRuleVersion4')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('huntingQueryTemplateSpecName10')]",
+      "name": "[variables('analyticRuleTemplateSpecName5')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyWriteExecuteOperations_HuntingQueries Hunting Query with template version 3.0.0",
+        "description": "ClarotyMultipleFailedLoginsSameDst_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('huntingQueryVersion10')]",
+          "contentVersion": "[variables('analyticRuleVersion5')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.OperationalInsights/savedSearches",
-              "apiVersion": "2022-10-01",
-              "name": "Claroty_Hunting_Query_10",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId5')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "eTag": "*",
-                "displayName": "Claroty - Write and Execute operations",
-                "category": "Hunting Queries",
-                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(CategoryAccess)\n| where CategoryAccess != 'Read'\n| extend IPCustomEntity = DstIpAddr\n",
-                "version": 2,
-                "tags": [
+                "description": "Detects multiple failed logins to same destinations.",
+                "displayName": "Claroty - Multiple failed logins to same destinations",
+                "enabled": false,
+                "query": "let threshold = 10;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by Site, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend SGCustomEntity = Site\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
                   {
-                    "name": "description",
-                    "value": "Query searches for operations with Write and Execute accesses."
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "Claroty"
                   },
                   {
-                    "name": "tactics",
-                    "value": "InitialAccess"
-                  },
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "ClarotyAma"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1190",
+                  "T1133"
+                ],
+                "entityMappings": [
                   {
-                    "name": "techniques",
-                    "value": "T1190"
+                    "fieldMappings": [
+                      {
+                        "identifier": "DistinguishedName",
+                        "columnName": "SGCustomEntity"
+                      }
+                    ],
+                    "entityType": "SecurityGroup"
                   }
                 ]
               }
@@ -1223,13 +1609,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
               "properties": {
-                "description": "Claroty Hunting Query 10",
-                "parentId": "[variables('huntingQueryId10')]",
-                "contentId": "[variables('_huntingQuerycontentId10')]",
-                "kind": "HuntingQuery",
-                "version": "[variables('huntingQueryVersion10')]",
+                "description": "Claroty Analytics Rule 5",
+                "parentId": "[variables('analyticRuleId5')]",
+                "contentId": "[variables('_analyticRulecontentId5')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion5')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -1254,166 +1640,93 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_huntingQuerycontentId10')]",
-        "contentKind": "HuntingQuery",
-        "displayName": "Claroty - Write and Execute operations",
-        "contentProductId": "[variables('_huntingQuerycontentProductId10')]",
-        "id": "[variables('_huntingQuerycontentProductId10')]",
-        "version": "[variables('huntingQueryVersion10')]"
+        "contentId": "[variables('_analyticRulecontentId5')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Claroty - Multiple failed logins to same destinations",
+        "contentProductId": "[variables('_analyticRulecontentProductId5')]",
+        "id": "[variables('_analyticRulecontentProductId5')]",
+        "version": "[variables('analyticRuleVersion5')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('dataConnectorTemplateSpecName1')]",
+      "name": "[variables('analyticRuleTemplateSpecName6')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Claroty data connector with template version 3.0.0",
+        "description": "ClarotyNewAsset_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('dataConnectorVersion1')]",
+          "contentVersion": "[variables('analyticRuleVersion6')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
-              "apiVersion": "2021-03-01-preview",
-              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId6')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
-              "kind": "GenericUI",
               "properties": {
-                "connectorUiConfig": {
-                  "id": "[variables('_uiConfigId1')]",
-                  "title": "Claroty",
-                  "publisher": "Claroty",
-                  "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
-                  "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
-                  "graphQueries": [
-                    {
-                      "metricName": "Total data received",
-                      "legend": "Claroty",
-                      "baseQuery": "ClarotyEvent"
-                    }
-                  ],
-                  "sampleQueries": [
-                    {
-                      "description": "Top 10 Destinations",
-                      "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n    | summarize count() by DstIpAddr\n | top 10 by count_"
-                    }
-                  ],
-                  "dataTypes": [
-                    {
-                      "name": "CommonSecurityLog (Claroty)",
-                      "lastDataReceivedQuery": "ClarotyEvent\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-                    }
-                  ],
-                  "connectivityCriterias": [
-                    {
-                      "type": "IsConnectedQuery",
-                      "value": [
-                        "ClarotyEvent\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
-                      ]
-                    }
-                  ],
-                  "availability": {
-                    "status": 1,
-                    "isPreview": false
-                  },
-                  "permissions": {
-                    "resourceProvider": [
-                      {
-                        "provider": "Microsoft.OperationalInsights/workspaces",
-                        "permissionsDisplayText": "read and write permissions are required.",
-                        "providerDisplayName": "Workspace",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "write": true,
-                          "read": true,
-                          "delete": true
-                        }
-                      },
+                "description": "Triggers when a new asset has been added into the environment.",
+                "displayName": "Claroty - New Asset",
+                "enabled": false,
+                "query": "ClarotyEvent\n| where EventOriginalType has 'New Asset' or EventType has 'New Asset'\n| extend IPCustomEntity = SrcIpAddr\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "Claroty"
+                  },
+                  {
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "ClarotyAma"
+                  }
+                ],
+                "tactics": [
+                  "InitialAccess"
+                ],
+                "techniques": [
+                  "T1190",
+                  "T1133"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
                       {
-                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                        "providerDisplayName": "Keys",
-                        "scope": "Workspace",
-                        "requiredPermissions": {
-                          "action": true
-                        }
+                        "identifier": "Address",
+                        "columnName": "IPCustomEntity"
                       }
-                    ]
-                  },
-                  "instructionSteps": [
-                    {
-                      "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
-                    },
-                    {
-                      "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
-                      "innerSteps": [
-                        {
-                          "title": "1.1 Select or create a Linux machine",
-                          "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
-                        },
-                        {
-                          "title": "1.2 Install the CEF collector on the Linux machine",
-                          "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
-                          "instructions": [
-                            {
-                              "parameters": {
-                                "fillWith": [
-                                  "WorkspaceId",
-                                  "PrimaryKey"
-                                ],
-                                "label": "Run the following command to install and apply the CEF collector:",
-                                "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
-                              },
-                              "type": "CopyableLabel"
-                            }
-                          ]
-                        }
-                      ],
-                      "title": "1. Linux Syslog agent configuration"
-                    },
-                    {
-                      "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
-                      "title": "2.  Configure Claroty to send logs using CEF"
-                    },
-                    {
-                      "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
-                      "instructions": [
-                        {
-                          "parameters": {
-                            "fillWith": [
-                              "WorkspaceId"
-                            ],
-                            "label": "Run the following command to validate your connectivity:",
-                            "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
-                          },
-                          "type": "CopyableLabel"
-                        }
-                      ],
-                      "title": "3. Validate connection"
-                    },
-                    {
-                      "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-                      "title": "4. Secure your machine "
-                    }
-                  ]
-                }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2023-04-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
               "properties": {
-                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-                "contentId": "[variables('_dataConnectorContentId1')]",
-                "kind": "DataConnector",
-                "version": "[variables('dataConnectorVersion1')]",
+                "description": "Claroty Analytics Rule 6",
+                "parentId": "[variables('analyticRuleId6')]",
+                "contentId": "[variables('_analyticRulecontentId6')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion6')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -1438,198 +1751,261 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_dataConnectorContentId1')]",
-        "contentKind": "DataConnector",
-        "displayName": "Claroty",
-        "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
-        "id": "[variables('_dataConnectorcontentProductId1')]",
-        "version": "[variables('dataConnectorVersion1')]"
+        "contentId": "[variables('_analyticRulecontentId6')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Claroty - New Asset",
+        "contentProductId": "[variables('_analyticRulecontentProductId6')]",
+        "id": "[variables('_analyticRulecontentProductId6')]",
+        "version": "[variables('analyticRuleVersion6')]"
       }
     },
     {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+      "name": "[variables('analyticRuleTemplateSpecName7')]",
+      "location": "[parameters('workspace-location')]",
       "dependsOn": [
-        "[variables('_dataConnectorId1')]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
-      "location": "[parameters('workspace-location')]",
       "properties": {
-        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
-        "contentId": "[variables('_dataConnectorContentId1')]",
-        "kind": "DataConnector",
-        "version": "[variables('dataConnectorVersion1')]",
-        "source": {
-          "kind": "Solution",
-          "name": "Claroty",
-          "sourceId": "[variables('_solutionId')]"
-        },
-        "author": {
-          "name": "Microsoft",
-          "email": "[variables('_email')]"
+        "description": "ClarotyPolicyViolation_AnalyticalRules Analytics Rule with template version 3.0.1",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion7')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId7')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Detects policy violations.",
+                "displayName": "Claroty - Policy violation",
+                "enabled": false,
+                "query": "ClarotyEvent\n| where EventOriginalType has 'Policy Violation' or EventType has 'Policy Violation'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "Claroty"
+                  },
+                  {
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "ClarotyAma"
+                  }
+                ],
+                "tactics": [
+                  "Discovery"
+                ],
+                "techniques": [
+                  "T1018"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "IPCustomEntity"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+              "properties": {
+                "description": "Claroty Analytics Rule 7",
+                "parentId": "[variables('analyticRuleId7')]",
+                "contentId": "[variables('_analyticRulecontentId7')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion7')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Claroty",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "tier": "Microsoft",
+                  "link": "https://support.microsoft.com"
+                }
+              }
+            }
+          ]
         },
-        "support": {
-          "name": "Microsoft Corporation",
-          "email": "support@microsoft.com",
-          "tier": "Microsoft",
-          "link": "https://support.microsoft.com"
-        }
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId7')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Claroty - Policy violation",
+        "contentProductId": "[variables('_analyticRulecontentProductId7')]",
+        "id": "[variables('_analyticRulecontentProductId7')]",
+        "version": "[variables('analyticRuleVersion7')]"
       }
     },
     {
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
-      "apiVersion": "2021-03-01-preview",
-      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleTemplateSpecName8')]",
       "location": "[parameters('workspace-location')]",
-      "kind": "GenericUI",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
       "properties": {
-        "connectorUiConfig": {
-          "title": "Claroty",
-          "publisher": "Claroty",
-          "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
-          "graphQueries": [
-            {
-              "metricName": "Total data received",
-              "legend": "Claroty",
-              "baseQuery": "ClarotyEvent"
-            }
-          ],
-          "dataTypes": [
-            {
-              "name": "CommonSecurityLog (Claroty)",
-              "lastDataReceivedQuery": "ClarotyEvent\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-            }
-          ],
-          "connectivityCriterias": [
-            {
-              "type": "IsConnectedQuery",
-              "value": [
-                "ClarotyEvent\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
-              ]
-            }
-          ],
-          "sampleQueries": [
+        "description": "ClarotySuspiciousActivity_AnalyticalRules Analytics Rule with template version 3.0.1",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleVersion8')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
             {
-              "description": "Top 10 Destinations",
-              "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n    | summarize count() by DstIpAddr\n | top 10 by count_"
-            }
-          ],
-          "availability": {
-            "status": 1,
-            "isPreview": false
-          },
-          "permissions": {
-            "resourceProvider": [
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces",
-                "permissionsDisplayText": "read and write permissions are required.",
-                "providerDisplayName": "Workspace",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "write": true,
-                  "read": true,
-                  "delete": true
-                }
-              },
-              {
-                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
-                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
-                "providerDisplayName": "Keys",
-                "scope": "Workspace",
-                "requiredPermissions": {
-                  "action": true
-                }
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRulecontentId8')]",
+              "apiVersion": "2022-04-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Detects suspicious behavior that is generally indicative of malware.",
+                "displayName": "Claroty - Suspicious activity",
+                "enabled": false,
+                "query": "ClarotyEvent\n| where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "High",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "Claroty"
+                  },
+                  {
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "ClarotyAma"
+                  }
+                ],
+                "tactics": [
+                  "Discovery"
+                ],
+                "techniques": [
+                  "T1018"
+                ],
+                "entityMappings": [
+                  {
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "IPCustomEntity"
+                      }
+                    ],
+                    "entityType": "IP"
+                  }
+                ]
               }
-            ]
-          },
-          "instructionSteps": [
-            {
-              "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
             },
             {
-              "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
-              "innerSteps": [
-                {
-                  "title": "1.1 Select or create a Linux machine",
-                  "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+              "properties": {
+                "description": "Claroty Analytics Rule 8",
+                "parentId": "[variables('analyticRuleId8')]",
+                "contentId": "[variables('_analyticRulecontentId8')]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleVersion8')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Claroty",
+                  "sourceId": "[variables('_solutionId')]"
                 },
-                {
-                  "title": "1.2 Install the CEF collector on the Linux machine",
-                  "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
-                  "instructions": [
-                    {
-                      "parameters": {
-                        "fillWith": [
-                          "WorkspaceId",
-                          "PrimaryKey"
-                        ],
-                        "label": "Run the following command to install and apply the CEF collector:",
-                        "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
-                      },
-                      "type": "CopyableLabel"
-                    }
-                  ]
-                }
-              ],
-              "title": "1. Linux Syslog agent configuration"
-            },
-            {
-              "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
-              "title": "2.  Configure Claroty to send logs using CEF"
-            },
-            {
-              "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
-              "instructions": [
-                {
-                  "parameters": {
-                    "fillWith": [
-                      "WorkspaceId"
-                    ],
-                    "label": "Run the following command to validate your connectivity:",
-                    "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
-                  },
-                  "type": "CopyableLabel"
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "tier": "Microsoft",
+                  "link": "https://support.microsoft.com"
                 }
-              ],
-              "title": "3. Validate connection"
-            },
-            {
-              "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
-              "title": "4. Secure your machine "
+              }
             }
-          ],
-          "id": "[variables('_uiConfigId1')]",
-          "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
-        }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_analyticRulecontentId8')]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Claroty - Suspicious activity",
+        "contentProductId": "[variables('_analyticRulecontentProductId8')]",
+        "id": "[variables('_analyticRulecontentProductId8')]",
+        "version": "[variables('analyticRuleVersion8')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName1')]",
+      "name": "[variables('analyticRuleTemplateSpecName9')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyAssetDown_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ClarotySuspiciousFileTransfer_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion1')]",
+          "contentVersion": "[variables('analyticRuleVersion9')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId1')]",
+              "name": "[variables('analyticRulecontentId9')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Triggers asset is down.",
-                "displayName": "Claroty - Asset Down",
+                "description": "Detects suspicious file transfer activity.",
+                "displayName": "Claroty - Suspicious file transfer",
                 "enabled": false,
-                "query": "ClarotyEvent\n| where EventOriginalType has 'Asset Down' or EventType has 'Asset Down'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+                "query": "ClarotyEvent\n| where EventOriginalType has 'Suspicious File Transfer' or EventType has 'Suspicious File Transfer'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "High",
@@ -1640,24 +2016,30 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "Claroty",
                     "dataTypes": [
                       "ClarotyEvent"
-                    ]
+                    ],
+                    "connectorId": "Claroty"
+                  },
+                  {
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "ClarotyAma"
                   }
                 ],
                 "tactics": [
-                  "Impact"
+                  "Discovery"
                 ],
                 "techniques": [
-                  "T1529"
+                  "T1018"
                 ],
                 "entityMappings": [
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "IPCustomEntity",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "IPCustomEntity"
                       }
                     ],
                     "entityType": "IP"
@@ -1668,13 +2050,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
               "properties": {
-                "description": "Claroty Analytics Rule 1",
-                "parentId": "[variables('analyticRuleId1')]",
-                "contentId": "[variables('_analyticRulecontentId1')]",
+                "description": "Claroty Analytics Rule 9",
+                "parentId": "[variables('analyticRuleId9')]",
+                "contentId": "[variables('_analyticRulecontentId9')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion1')]",
+                "version": "[variables('analyticRuleVersion9')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -1699,41 +2081,41 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId1')]",
+        "contentId": "[variables('_analyticRulecontentId9')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Claroty - Asset Down",
-        "contentProductId": "[variables('_analyticRulecontentProductId1')]",
-        "id": "[variables('_analyticRulecontentProductId1')]",
-        "version": "[variables('analyticRuleVersion1')]"
+        "displayName": "Claroty - Suspicious file transfer",
+        "contentProductId": "[variables('_analyticRulecontentProductId9')]",
+        "id": "[variables('_analyticRulecontentProductId9')]",
+        "version": "[variables('analyticRuleVersion9')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName2')]",
+      "name": "[variables('analyticRuleTemplateSpecName10')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyCriticalBaselineDeviation_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ClarotyTreat_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion2')]",
+          "contentVersion": "[variables('analyticRuleVersion10')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId2')]",
+              "name": "[variables('analyticRulecontentId10')]",
               "apiVersion": "2022-04-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects when critical deviation from baseline occurs.",
-                "displayName": "Claroty - Critical baseline deviation",
+                "description": "Detects Collection of known malware commands and control servers.",
+                "displayName": "Claroty - Treat detected",
                 "enabled": false,
-                "query": "ClarotyEvent\n| where EventOriginalType has 'Baseline Deviation' or EventType has 'Baseline Deviation'\n| where EventSeverity == '5'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+                "query": "ClarotyEvent\n| where EventOriginalType has 'Treat' or EventType has 'Treat'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "High",
@@ -1744,24 +2126,30 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "Claroty",
                     "dataTypes": [
                       "ClarotyEvent"
-                    ]
+                    ],
+                    "connectorId": "Claroty"
+                  },
+                  {
+                    "dataTypes": [
+                      "ClarotyEvent"
+                    ],
+                    "connectorId": "ClarotyAma"
                   }
                 ],
                 "tactics": [
-                  "Impact"
+                  "Discovery"
                 ],
                 "techniques": [
-                  "T1529"
+                  "T1018"
                 ],
                 "entityMappings": [
                   {
                     "fieldMappings": [
                       {
-                        "columnName": "IPCustomEntity",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "IPCustomEntity"
                       }
                     ],
                     "entityType": "IP"
@@ -1772,13 +2160,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
               "properties": {
-                "description": "Claroty Analytics Rule 2",
-                "parentId": "[variables('analyticRuleId2')]",
-                "contentId": "[variables('_analyticRulecontentId2')]",
+                "description": "Claroty Analytics Rule 10",
+                "parentId": "[variables('analyticRuleId10')]",
+                "contentId": "[variables('_analyticRulecontentId10')]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion2')]",
+                "version": "[variables('analyticRuleVersion10')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -1803,73 +2191,223 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId2')]",
+        "contentId": "[variables('_analyticRulecontentId10')]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Claroty - Critical baseline deviation",
-        "contentProductId": "[variables('_analyticRulecontentProductId2')]",
-        "id": "[variables('_analyticRulecontentProductId2')]",
-        "version": "[variables('analyticRuleVersion2')]"
+        "displayName": "Claroty - Treat detected",
+        "contentProductId": "[variables('_analyticRulecontentProductId10')]",
+        "id": "[variables('_analyticRulecontentProductId10')]",
+        "version": "[variables('analyticRuleVersion10')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryTemplateSpecName1')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "ClarotyBaselineDeviation_HuntingQueries Hunting Query with template version 3.0.1",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('huntingQueryVersion1')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Claroty_Hunting_Query_1",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "eTag": "*",
+                "displayName": "Claroty - Baseline deviation",
+                "category": "Hunting Queries",
+                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has 'Baseline Deviation' or EventType has 'Baseline Deviation'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+                "version": 2,
+                "tags": [
+                  {
+                    "name": "description",
+                    "value": "Query searches for baseline deviation events."
+                  },
+                  {
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1190"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+              "properties": {
+                "description": "Claroty Hunting Query 1",
+                "parentId": "[variables('huntingQueryId1')]",
+                "contentId": "[variables('_huntingQuerycontentId1')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion1')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Claroty",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "tier": "Microsoft",
+                  "link": "https://support.microsoft.com"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_huntingQuerycontentId1')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Claroty - Baseline deviation",
+        "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
+        "id": "[variables('_huntingQuerycontentProductId1')]",
+        "version": "[variables('huntingQueryVersion1')]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('huntingQueryTemplateSpecName2')]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "ClarotyConflictAssets_HuntingQueries Hunting Query with template version 3.0.1",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('huntingQueryVersion2')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Claroty_Hunting_Query_2",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "eTag": "*",
+                "displayName": "Claroty - Conflict assets",
+                "category": "Hunting Queries",
+                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has 'New Conflict Asset' or EventType has 'New Conflict Asset'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+                "version": 2,
+                "tags": [
+                  {
+                    "name": "description",
+                    "value": "Query searches for conflicting assets."
+                  },
+                  {
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1190"
+                  }
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+              "properties": {
+                "description": "Claroty Hunting Query 2",
+                "parentId": "[variables('huntingQueryId2')]",
+                "contentId": "[variables('_huntingQuerycontentId2')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion2')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Claroty",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Microsoft",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Microsoft Corporation",
+                  "email": "support@microsoft.com",
+                  "tier": "Microsoft",
+                  "link": "https://support.microsoft.com"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_huntingQuerycontentId2')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Claroty - Conflict assets",
+        "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
+        "id": "[variables('_huntingQuerycontentProductId2')]",
+        "version": "[variables('huntingQueryVersion2')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName3')]",
+      "name": "[variables('huntingQueryTemplateSpecName3')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyLoginToUncommonSite_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ClarotyCriticalEvents_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion3')]",
+          "contentVersion": "[variables('huntingQueryVersion3')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId3')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Claroty_Hunting_Query_3",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects user login to uncommon location.",
-                "displayName": "Claroty - Login to uncommon location",
-                "enabled": false,
-                "query": "let usr_sites = ClarotyEvent\n| where TimeGenerated > ago(14d)\n| where EventType has 'Login to SRA succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\slogged', 1, EventMessage)\n| summarize all_loc = makeset(tostring(Site)) by SrcUsername\n| extend k = 1;\nClarotyEvent\n| where EventType has 'Login to SRA succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\slogged', 1, EventMessage)\n| extend k = 1\n| join kind=innerunique (usr_sites) on k\n| where all_loc !contains Site\n| extend SrcIpAddr\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "P14D",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+                "eTag": "*",
+                "displayName": "Claroty - Critical Events",
+                "category": "Hunting Queries",
+                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity == '5'\n| extend IPCustomEntity = DstIpAddr\n",
+                "version": 2,
+                "tags": [
                   {
-                    "connectorId": "Claroty",
-                    "dataTypes": [
-                      "ClarotyEvent"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess"
-                ],
-                "techniques": [
-                  "T1190",
-                  "T1133"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for critical severity events."
+                  },
                   {
-                    "fieldMappings": [
-                      {
-                        "columnName": "SrcIpAddr",
-                        "identifier": "Address"
-                      }
-                    ],
-                    "entityType": "IP"
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1190"
                   }
                 ]
               }
@@ -1877,13 +2415,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
               "properties": {
-                "description": "Claroty Analytics Rule 3",
-                "parentId": "[variables('analyticRuleId3')]",
-                "contentId": "[variables('_analyticRulecontentId3')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion3')]",
+                "description": "Claroty Hunting Query 3",
+                "parentId": "[variables('huntingQueryId3')]",
+                "contentId": "[variables('_huntingQuerycontentId3')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion3')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -1908,73 +2446,53 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId3')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Claroty - Login to uncommon location",
-        "contentProductId": "[variables('_analyticRulecontentProductId3')]",
-        "id": "[variables('_analyticRulecontentProductId3')]",
-        "version": "[variables('analyticRuleVersion3')]"
+        "contentId": "[variables('_huntingQuerycontentId3')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Claroty - Critical Events",
+        "contentProductId": "[variables('_huntingQuerycontentProductId3')]",
+        "id": "[variables('_huntingQuerycontentProductId3')]",
+        "version": "[variables('huntingQueryVersion3')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName4')]",
+      "name": "[variables('huntingQueryTemplateSpecName4')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyMultipleFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ClarotyPLCLogins_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion4')]",
+          "contentVersion": "[variables('huntingQueryVersion4')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId4')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Claroty_Hunting_Query_4",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects multiple failed logins by same user.",
-                "displayName": "Claroty - Multiple failed logins by user",
-                "enabled": false,
-                "query": "let threshold = 5;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend AccountCustomEntity = SrcUsername\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "High",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+                "eTag": "*",
+                "displayName": "Claroty - PLC logins",
+                "category": "Hunting Queries",
+                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType =~ 'Alert'\n| where EventType has 'Login'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+                "version": 2,
+                "tags": [
                   {
-                    "connectorId": "Claroty",
-                    "dataTypes": [
-                      "ClarotyEvent"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess"
-                ],
-                "techniques": [
-                  "T1190",
-                  "T1133"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for PLC login security alerts."
+                  },
                   {
-                    "fieldMappings": [
-                      {
-                        "columnName": "AccountCustomEntity",
-                        "identifier": "Name"
-                      }
-                    ],
-                    "entityType": "Account"
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1190"
                   }
                 ]
               }
@@ -1982,13 +2500,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
               "properties": {
-                "description": "Claroty Analytics Rule 4",
-                "parentId": "[variables('analyticRuleId4')]",
-                "contentId": "[variables('_analyticRulecontentId4')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion4')]",
+                "description": "Claroty Hunting Query 4",
+                "parentId": "[variables('huntingQueryId4')]",
+                "contentId": "[variables('_huntingQuerycontentId4')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion4')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -2013,73 +2531,53 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId4')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Claroty - Multiple failed logins by user",
-        "contentProductId": "[variables('_analyticRulecontentProductId4')]",
-        "id": "[variables('_analyticRulecontentProductId4')]",
-        "version": "[variables('analyticRuleVersion4')]"
+        "contentId": "[variables('_huntingQuerycontentId4')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Claroty - PLC logins",
+        "contentProductId": "[variables('_huntingQuerycontentProductId4')]",
+        "id": "[variables('_huntingQuerycontentProductId4')]",
+        "version": "[variables('huntingQueryVersion4')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName5')]",
+      "name": "[variables('huntingQueryTemplateSpecName5')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyMultipleFailedLoginsSameDst_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ClarotySRAFailedLogins_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion5')]",
+          "contentVersion": "[variables('huntingQueryVersion5')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId5')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Claroty_Hunting_Query_5",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects multiple failed logins to same destinations.",
-                "displayName": "Claroty - Multiple failed logins to same destinations",
-                "enabled": false,
-                "query": "let threshold = 10;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by Site, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend SGCustomEntity = Site\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "High",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+                "eTag": "*",
+                "displayName": "Claroty - User failed logins",
+                "category": "Hunting Queries",
+                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername\n| extend AccountCustomEntity = SrcUsername\n",
+                "version": 2,
+                "tags": [
                   {
-                    "connectorId": "Claroty",
-                    "dataTypes": [
-                      "ClarotyEvent"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess"
-                ],
-                "techniques": [
-                  "T1190",
-                  "T1133"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for login failure events."
+                  },
                   {
-                    "fieldMappings": [
-                      {
-                        "columnName": "SGCustomEntity",
-                        "identifier": "DistinguishedName"
-                      }
-                    ],
-                    "entityType": "SecurityGroup"
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1190"
                   }
                 ]
               }
@@ -2087,13 +2585,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
               "properties": {
-                "description": "Claroty Analytics Rule 5",
-                "parentId": "[variables('analyticRuleId5')]",
-                "contentId": "[variables('_analyticRulecontentId5')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion5')]",
+                "description": "Claroty Hunting Query 5",
+                "parentId": "[variables('huntingQueryId5')]",
+                "contentId": "[variables('_huntingQuerycontentId5')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion5')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -2118,73 +2616,53 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId5')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Claroty - Multiple failed logins to same destinations",
-        "contentProductId": "[variables('_analyticRulecontentProductId5')]",
-        "id": "[variables('_analyticRulecontentProductId5')]",
-        "version": "[variables('analyticRuleVersion5')]"
+        "contentId": "[variables('_huntingQuerycontentId5')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Claroty - User failed logins",
+        "contentProductId": "[variables('_huntingQuerycontentProductId5')]",
+        "id": "[variables('_huntingQuerycontentProductId5')]",
+        "version": "[variables('huntingQueryVersion5')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName6')]",
+      "name": "[variables('huntingQueryTemplateSpecName6')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyNewAsset_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ClarotyScanSources_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion6')]",
+          "contentVersion": "[variables('huntingQueryVersion6')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId6')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Claroty_Hunting_Query_6",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Triggers when a new asset has been added into the environment.",
-                "displayName": "Claroty - New Asset",
-                "enabled": false,
-                "query": "ClarotyEvent\n| where EventOriginalType has 'New Asset' or EventType has 'New Asset'\n| extend IPCustomEntity = SrcIpAddr\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "High",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+                "eTag": "*",
+                "displayName": "Claroty - Network scan sources",
+                "category": "Hunting Queries",
+                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has_any ('Network Scan', 'TCP Scan', 'UDP Scan') or EventType has_any ('Network Scan', 'TCP Scan', 'UDP Scan')\n| project TimeGenerated, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n",
+                "version": 2,
+                "tags": [
                   {
-                    "connectorId": "Claroty",
-                    "dataTypes": [
-                      "ClarotyEvent"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "InitialAccess"
-                ],
-                "techniques": [
-                  "T1190",
-                  "T1133"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for sources of network scans."
+                  },
                   {
-                    "fieldMappings": [
-                      {
-                        "columnName": "IPCustomEntity",
-                        "identifier": "Address"
-                      }
-                    ],
-                    "entityType": "IP"
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1190"
                   }
                 ]
               }
@@ -2192,13 +2670,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
               "properties": {
-                "description": "Claroty Analytics Rule 6",
-                "parentId": "[variables('analyticRuleId6')]",
-                "contentId": "[variables('_analyticRulecontentId6')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion6')]",
+                "description": "Claroty Hunting Query 6",
+                "parentId": "[variables('huntingQueryId6')]",
+                "contentId": "[variables('_huntingQuerycontentId6')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion6')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -2223,72 +2701,53 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId6')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Claroty - New Asset",
-        "contentProductId": "[variables('_analyticRulecontentProductId6')]",
-        "id": "[variables('_analyticRulecontentProductId6')]",
-        "version": "[variables('analyticRuleVersion6')]"
+        "contentId": "[variables('_huntingQuerycontentId6')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Claroty - Network scan sources",
+        "contentProductId": "[variables('_huntingQuerycontentProductId6')]",
+        "id": "[variables('_huntingQuerycontentProductId6')]",
+        "version": "[variables('huntingQueryVersion6')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName7')]",
+      "name": "[variables('huntingQueryTemplateSpecName7')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyPolicyViolation_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ClarotyScantargets_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion7')]",
+          "contentVersion": "[variables('huntingQueryVersion7')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId7')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Claroty_Hunting_Query_7",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects policy violations.",
-                "displayName": "Claroty - Policy violation",
-                "enabled": false,
-                "query": "ClarotyEvent\n| where EventOriginalType has 'Policy Violation' or EventType has 'Policy Violation'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "High",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+                "eTag": "*",
+                "displayName": "Claroty - Network scan targets",
+                "category": "Hunting Queries",
+                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has_any ('Network Scan', 'TCP Scan', 'UDP Scan') or EventType has_any ('Network Scan', 'TCP Scan', 'UDP Scan')\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+                "version": 2,
+                "tags": [
                   {
-                    "connectorId": "Claroty",
-                    "dataTypes": [
-                      "ClarotyEvent"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "Discovery"
-                ],
-                "techniques": [
-                  "T1018"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for targets of network scans."
+                  },
                   {
-                    "fieldMappings": [
-                      {
-                        "columnName": "IPCustomEntity",
-                        "identifier": "Address"
-                      }
-                    ],
-                    "entityType": "IP"
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1190"
                   }
                 ]
               }
@@ -2296,13 +2755,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
               "properties": {
-                "description": "Claroty Analytics Rule 7",
-                "parentId": "[variables('analyticRuleId7')]",
-                "contentId": "[variables('_analyticRulecontentId7')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion7')]",
+                "description": "Claroty Hunting Query 7",
+                "parentId": "[variables('huntingQueryId7')]",
+                "contentId": "[variables('_huntingQuerycontentId7')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion7')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -2327,72 +2786,53 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId7')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Claroty - Policy violation",
-        "contentProductId": "[variables('_analyticRulecontentProductId7')]",
-        "id": "[variables('_analyticRulecontentProductId7')]",
-        "version": "[variables('analyticRuleVersion7')]"
+        "contentId": "[variables('_huntingQuerycontentId7')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Claroty - Network scan targets",
+        "contentProductId": "[variables('_huntingQuerycontentProductId7')]",
+        "id": "[variables('_huntingQuerycontentProductId7')]",
+        "version": "[variables('huntingQueryVersion7')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName8')]",
+      "name": "[variables('huntingQueryTemplateSpecName8')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotySuspiciousActivity_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ClarotyUnapprovedAccess_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion8')]",
+          "contentVersion": "[variables('huntingQueryVersion8')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId8')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Claroty_Hunting_Query_8",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects suspicious behavior that is generally indicative of malware.",
-                "displayName": "Claroty - Suspicious activity",
-                "enabled": false,
-                "query": "ClarotyEvent\n| where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "High",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+                "eTag": "*",
+                "displayName": "Claroty - Unapproved access",
+                "category": "Hunting Queries",
+                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity =~ 'Unapproved'\n| where isnotempty(CategoryAccess)\n| extend IPCustomEntity = DstIpAddr\n",
+                "version": 2,
+                "tags": [
                   {
-                    "connectorId": "Claroty",
-                    "dataTypes": [
-                      "ClarotyEvent"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "Discovery"
-                ],
-                "techniques": [
-                  "T1018"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for unapproved access events."
+                  },
                   {
-                    "fieldMappings": [
-                      {
-                        "columnName": "IPCustomEntity",
-                        "identifier": "Address"
-                      }
-                    ],
-                    "entityType": "IP"
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1190"
                   }
                 ]
               }
@@ -2400,13 +2840,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
               "properties": {
-                "description": "Claroty Analytics Rule 8",
-                "parentId": "[variables('analyticRuleId8')]",
-                "contentId": "[variables('_analyticRulecontentId8')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion8')]",
+                "description": "Claroty Hunting Query 8",
+                "parentId": "[variables('huntingQueryId8')]",
+                "contentId": "[variables('_huntingQuerycontentId8')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion8')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -2431,72 +2871,53 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId8')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Claroty - Suspicious activity",
-        "contentProductId": "[variables('_analyticRulecontentProductId8')]",
-        "id": "[variables('_analyticRulecontentProductId8')]",
-        "version": "[variables('analyticRuleVersion8')]"
+        "contentId": "[variables('_huntingQuerycontentId8')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Claroty - Unapproved access",
+        "contentProductId": "[variables('_huntingQuerycontentProductId8')]",
+        "id": "[variables('_huntingQuerycontentProductId8')]",
+        "version": "[variables('huntingQueryVersion8')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName9')]",
+      "name": "[variables('huntingQueryTemplateSpecName9')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotySuspiciousFileTransfer_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ClarotyUnresolvedAlerts_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion9')]",
+          "contentVersion": "[variables('huntingQueryVersion9')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId9')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "description": "Detects suspicious file transfer activity.",
-                "displayName": "Claroty - Suspicious file transfer",
-                "enabled": false,
-                "query": "ClarotyEvent\n| where EventOriginalType has 'Suspicious File Transfer' or EventType has 'Suspicious File Transfer'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "High",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Claroty_Hunting_Query_9",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "eTag": "*",
+                "displayName": "Claroty - Unresolved alerts",
+                "category": "Hunting Queries",
+                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType =~ 'Alert'\n| where ResolvedAs =~ 'Unresolved'\n| extend IPCustomEntity = DstIpAddr\n",
+                "version": 2,
+                "tags": [
                   {
-                    "connectorId": "Claroty",
-                    "dataTypes": [
-                      "ClarotyEvent"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "Discovery"
-                ],
-                "techniques": [
-                  "T1018"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for alerts with unresolved status."
+                  },
                   {
-                    "fieldMappings": [
-                      {
-                        "columnName": "IPCustomEntity",
-                        "identifier": "Address"
-                      }
-                    ],
-                    "entityType": "IP"
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1190"
                   }
                 ]
               }
@@ -2504,13 +2925,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]",
               "properties": {
-                "description": "Claroty Analytics Rule 9",
-                "parentId": "[variables('analyticRuleId9')]",
-                "contentId": "[variables('_analyticRulecontentId9')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion9')]",
+                "description": "Claroty Hunting Query 9",
+                "parentId": "[variables('huntingQueryId9')]",
+                "contentId": "[variables('_huntingQuerycontentId9')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion9')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -2535,72 +2956,53 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId9')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Claroty - Suspicious file transfer",
-        "contentProductId": "[variables('_analyticRulecontentProductId9')]",
-        "id": "[variables('_analyticRulecontentProductId9')]",
-        "version": "[variables('analyticRuleVersion9')]"
+        "contentId": "[variables('_huntingQuerycontentId9')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Claroty - Unresolved alerts",
+        "contentProductId": "[variables('_huntingQuerycontentProductId9')]",
+        "id": "[variables('_huntingQuerycontentProductId9')]",
+        "version": "[variables('huntingQueryVersion9')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
       "apiVersion": "2023-04-01-preview",
-      "name": "[variables('analyticRuleTemplateSpecName10')]",
+      "name": "[variables('huntingQueryTemplateSpecName10')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClarotyTreat_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "ClarotyWriteExecuteOperations_HuntingQueries Hunting Query with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion10')]",
+          "contentVersion": "[variables('huntingQueryVersion10')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRulecontentId10')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.OperationalInsights/savedSearches",
+              "apiVersion": "2022-10-01",
+              "name": "Claroty_Hunting_Query_10",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Detects Collection of known malware commands and control servers.",
-                "displayName": "Claroty - Treat detected",
-                "enabled": false,
-                "query": "ClarotyEvent\n| where EventOriginalType has 'Treat' or EventType has 'Treat'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "High",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
+                "eTag": "*",
+                "displayName": "Claroty - Write and Execute operations",
+                "category": "Hunting Queries",
+                "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(CategoryAccess)\n| where CategoryAccess != 'Read'\n| extend IPCustomEntity = DstIpAddr\n",
+                "version": 2,
+                "tags": [
                   {
-                    "connectorId": "Claroty",
-                    "dataTypes": [
-                      "ClarotyEvent"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "Discovery"
-                ],
-                "techniques": [
-                  "T1018"
-                ],
-                "entityMappings": [
+                    "name": "description",
+                    "value": "Query searches for operations with Write and Execute accesses."
+                  },
                   {
-                    "fieldMappings": [
-                      {
-                        "columnName": "IPCustomEntity",
-                        "identifier": "Address"
-                      }
-                    ],
-                    "entityType": "IP"
+                    "name": "tactics",
+                    "value": "InitialAccess"
+                  },
+                  {
+                    "name": "techniques",
+                    "value": "T1190"
                   }
                 ]
               }
@@ -2608,13 +3010,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]",
               "properties": {
-                "description": "Claroty Analytics Rule 10",
-                "parentId": "[variables('analyticRuleId10')]",
-                "contentId": "[variables('_analyticRulecontentId10')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion10')]",
+                "description": "Claroty Hunting Query 10",
+                "parentId": "[variables('huntingQueryId10')]",
+                "contentId": "[variables('_huntingQuerycontentId10')]",
+                "kind": "HuntingQuery",
+                "version": "[variables('huntingQueryVersion10')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Claroty",
@@ -2639,12 +3041,12 @@
         "packageName": "[variables('_solutionName')]",
         "packageId": "[variables('_solutionId')]",
         "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_analyticRulecontentId10')]",
-        "contentKind": "AnalyticsRule",
-        "displayName": "Claroty - Treat detected",
-        "contentProductId": "[variables('_analyticRulecontentProductId10')]",
-        "id": "[variables('_analyticRulecontentProductId10')]",
-        "version": "[variables('analyticRuleVersion10')]"
+        "contentId": "[variables('_huntingQuerycontentId10')]",
+        "contentKind": "HuntingQuery",
+        "displayName": "Claroty - Write and Execute operations",
+        "contentProductId": "[variables('_huntingQuerycontentProductId10')]",
+        "id": "[variables('_huntingQuerycontentProductId10')]",
+        "version": "[variables('huntingQueryVersion10')]"
       }
     },
     {
@@ -2652,12 +3054,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.0",
+        "version": "3.0.1",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Claroty",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <a href=\"https://claroty.com/\">Claroty</a> solution for Microsoft Sentinel enables ingestion of  <a href=\"https://claroty.com/resources/datasheets/continuous-threat-detection-ctd\">Continuous Threat Detection</a> and <a href=\"https://claroty.com/industrial-cybersecurity/sra\">Secure Remote Access</a> events into Microsoft Sentinel.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><a href=\"https://docs.microsoft.com/azure/sentinel/connect-common-event-format\">Agent-based log collection (CEF over Syslog)</a></li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 10, <strong>Hunting Queries:</strong> 10</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <a href=\"https://claroty.com/\">Claroty</a> solution for Microsoft Sentinel enables ingestion of  <a href=\"https://claroty.com/resources/datasheets/continuous-threat-detection-ctd\">Continuous Threat Detection</a> and <a href=\"https://claroty.com/industrial-cybersecurity/sra\">Secure Remote Access</a> events into Microsoft Sentinel.</p>\n<ol>\n<li><p><strong>Claroty via AMA</strong> - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent <a href=\"https://learn.microsoft.com/azure/sentinel/connect-cef-ama\">here</a>. <strong>Microsoft recommends using this Data Connector</strong>.</p>\n</li>\n<li><p><strong>Claroty via Legacy Agent</strong> - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the legacy Log Analytics agent.</p>\n</li>\n</ol>\n<p><strong>NOTE:</strong> Microsoft recommends installation of Claroty via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by <strong>Aug 31, 2024,</strong> and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate\">more details</a>.</p>\n<p><strong>Data Connectors:</strong> 2, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 10, <strong>Hunting Queries:</strong> 10</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",
@@ -2683,9 +3085,14 @@
           "operator": "AND",
           "criteria": [
             {
-              "kind": "Workbook",
-              "contentId": "[variables('_workbookContentId1')]",
-              "version": "[variables('workbookVersion1')]"
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId1')]",
+              "version": "[variables('dataConnectorVersion1')]"
+            },
+            {
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId2')]",
+              "version": "[variables('dataConnectorVersion2')]"
             },
             {
               "kind": "Parser",
@@ -2693,59 +3100,9 @@
               "version": "[variables('parserVersion1')]"
             },
             {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId1')]",
-              "version": "[variables('huntingQueryVersion1')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId2')]",
-              "version": "[variables('huntingQueryVersion2')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId3')]",
-              "version": "[variables('huntingQueryVersion3')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId4')]",
-              "version": "[variables('huntingQueryVersion4')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId5')]",
-              "version": "[variables('huntingQueryVersion5')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId6')]",
-              "version": "[variables('huntingQueryVersion6')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId7')]",
-              "version": "[variables('huntingQueryVersion7')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId8')]",
-              "version": "[variables('huntingQueryVersion8')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId9')]",
-              "version": "[variables('huntingQueryVersion9')]"
-            },
-            {
-              "kind": "HuntingQuery",
-              "contentId": "[variables('_huntingQuerycontentId10')]",
-              "version": "[variables('huntingQueryVersion10')]"
-            },
-            {
-              "kind": "DataConnector",
-              "contentId": "[variables('_dataConnectorContentId1')]",
-              "version": "[variables('dataConnectorVersion1')]"
+              "kind": "Workbook",
+              "contentId": "[variables('_workbookContentId1')]",
+              "version": "[variables('workbookVersion1')]"
             },
             {
               "kind": "AnalyticsRule",
@@ -2796,6 +3153,56 @@
               "kind": "AnalyticsRule",
               "contentId": "[variables('analyticRulecontentId10')]",
               "version": "[variables('analyticRuleVersion10')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId1')]",
+              "version": "[variables('huntingQueryVersion1')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId2')]",
+              "version": "[variables('huntingQueryVersion2')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId3')]",
+              "version": "[variables('huntingQueryVersion3')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId4')]",
+              "version": "[variables('huntingQueryVersion4')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId5')]",
+              "version": "[variables('huntingQueryVersion5')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId6')]",
+              "version": "[variables('huntingQueryVersion6')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId7')]",
+              "version": "[variables('huntingQueryVersion7')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId8')]",
+              "version": "[variables('huntingQueryVersion8')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId9')]",
+              "version": "[variables('huntingQueryVersion9')]"
+            },
+            {
+              "kind": "HuntingQuery",
+              "contentId": "[variables('_huntingQuerycontentId10')]",
+              "version": "[variables('huntingQueryVersion10')]"
             }
           ]
         },

From 7e51d49eef1f32a2c73888a5b07e1e46ca760532 Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Mon, 11 Sep 2023 13:59:22 +0530
Subject: [PATCH 3/3] Updated Release Notes and CreateUiDefinition

---
 Solutions/Claroty/Package/3.0.1.zip           | Bin 18406 -> 19263 bytes
 .../Claroty/Package/createUiDefinition.json   |  36 ++++++++----------
 Solutions/Claroty/Package/mainTemplate.json   |  16 ++++----
 Solutions/Claroty/ReleaseNotes.md             |   7 ++--
 4 files changed, 27 insertions(+), 32 deletions(-)

diff --git a/Solutions/Claroty/Package/3.0.1.zip b/Solutions/Claroty/Package/3.0.1.zip
index fecd10ddf211cdfc2a197bdbb7ba7bb706f0259a..ee9758954ecc3a18cc12f6725f343f5ea1f83cb1 100644
GIT binary patch
literal 19263
zcmX_{V{|0l*Y;!E&cse8b}~t(W81cE+cqaQC$??dwv9J)|DW}Ks@k<qUv-^d@3T+s
zTHUe|pkQb~KtNDHN|rP#(-gf;#Be}B?&3f|nBP|o?2Yssjg-uO8yTBfn>m`<Sks$3
z*jR7iURdL@-}?A<g648}$LAuhiKVkO*UM&UYGiJ_>KDK0;et0vh*>s|!H+cT9)jGf
zU4ma`y^^vE*>}~`tc7<d>yj|Gzhh0Zn*{HNFm(MWxO2fDSNqL9C2C?VnU@nKTxEnc
zlRBx|ug_fIQxFahiv7aJyNZ2@@B|U2kC{m){1z_Pr~P&BFXc84pK^2k6Fv9~2i|9i
z=~JWFW+{D+15I*AJ%mSAeykKbn(iD0jQ`o63f|Y&)`)Q{OBO(4tcw)+>?<{mHS9WS
z0sv*P`w0FLP=bn5pk_Hc;zccU`!g1h%V@|Y%fsk>;B##%To03-bFePw$e3xzEJIOh
z45Q34Otc?W*#AL*CqxpHh6Vf=Xk^AOQ|#i^d+as%Ro{7$2$mq7llJ;v?3RG<D01qM
z{Oj|PmM@~I$tO9OcWskg#9wYAR9~SeG_HRfJ58Ku-+zdiNl&2^Yp0e?5z4a1n+^~T
z#!F%no;k2z&Hp8#t){KqI&wmD_-9Z5wLL@byhKYXPcG8Pk-$UOy`G^Y{?LBkPd&Ad
z@*JHba~%5z?u<ltMrLQ!0WrDeS$#X37i@Tm$ZB=cPT7Sid$R~i5ghn{kb4}NW&&Ic
zpV%p0#AzfBaRxAv{pk(8ER<$IVV8<6EKsawgxDZluRa&DB<L~rob#W|&xfNgpsIf4
zQb|^%=v8TL-&Y8Z0ynyWdP$}3d&+{~Q%(cn7=OIcZdJ;Fp8-rzlFKBz`uq2(;6I3v
z?7=iC_JDkk4*{-tMXQw313#KGeOY%T5%lN6AEDZS>S8grHL{fV)3_pBLJU3D9HKOB
z#Ro$SrssiUq5XfYL+j#$#&_3pqC$g=KZ6pF6~S=cNoav=fYAm=8c@^2t5Ug<ENEm+
z`^G7nxZ?+aXeg0}ptK|WBAlAW7y-_wCPx-el{PdNkI>@I$jnp57)OD!z&f~uNi*Ki
zt4bh|+4!M52OMRJ_#$U3!I%o7%`*S8+ntO#ocs|<x3-p@;xX3Fqsxq=$u)l&RN70Y
ziZ4p1(?RiiuutZmCk)deAXoitC`Jbp9)fKIj=nA30Lay|s!P4oMcC|tMLP!0L1tP;
z1zBbnWNHB$jGDuCt6!t=;P!}l^CeydX{MLD*DN9?Wx`loa;4Q<?QQ+h5BF<m7AcE7
zOcBUVR9hn(Pmr*;hw)cJuoR@G@=wT-1mD4H!fRo+gr8Dih<GO)0Uhk&$?v~@u$rbU
zh}Wo%26d{Bsq%<E)K&R;!xQr<{BoRvEhrPmG5Wg%X^kgWWBk++u|;_imS_`^967SD
z1VcZ@cBT6kV`iCjyhWwJbJjf|ZIP_>1jD*zMKug{9QPH=mFT(D>~4SgA%uO;^)cI6
zIVa|}MSpQToyIv!LdM{FOdLFS3nd>d;_bK54<ko-2s}-x)6#xg7N+=)X0hJ?U>c{E
zN<g-9N&>?eTT9yoq7EL2zJ?yqqwlIKB29!copsxNx4UPMW+cd^Rapz0M;(q}+yV;9
zK@dC+A<Tb^#7YV}O93lv498PRq(DY;B;HMFYCXhBL%r-(fwa)Fo!<AD25vzkI|cR{
z5N{^mm!r>ef6LnxjpQCBKIU7;|3QeoO^i3Ll#howsQV<!KJEH*^1~PaIbqaWmTOhD
z*jF1q2t9=KOH3|{tdL_z6fo5KNQH?tpC?3<2)PV>10s|@Jwf82<3@lq29`%O3e#<+
zq#IxZ?}jm&J!u(Q+3G*Q%zUMsx_kj2*Q@PQ?6O%}_lh5=S|lcRh!Su*iO3*RmJXfU
zlD3Af=Or6sy~3eKMDW-ozG$le`Wj8{xt-vDw7ug3!L5Vn?A!#jLw<5d$tq@NCj@-i
z*9p-w4ojARiDaWJ49lel62fjFMEu8y9&mh{Wk5qHI1*l%QvV|mT_`dHQxl3<_R{%o
z)Fg#Pu(}il=~AG^(ow2t(N^`D2K|RUO?N1{R&lJB3Bg8X8L;I;FeXR4%zHC|+b7-S
z30BNmRU9Oc+zVf<XSGaSqwvRBk1sttZJjO3dQYo%L?d4&XLgQLc9v7)D_F>inpd6E
z;z^DZE%`(TVH42(OMG^owZlMfYYe4Bg{|0ufcDHJ^A+%jjD6+Zuj=$6?pC#o<Zo+#
z!u}9(?+ofY9Ec+EUTQRCS+C@>8#HqNL~5UZ%t(5)1Ih0Ssob`*3YT23Qd<*8!mEm-
z^2}C#Ssn-YOW4sDX%-^6I0+i<RTq&Sw?+m>7XK+JM>*!R1BU>!AmPb4Yw`7lR<hj!
zsPjp<iS7Y`%Ix}w`)f<~g=A4X@Fnw?bMH@panvN|U#dk`2!zjL*V=!=@W_0h$|VyD
zK}Dw`)?&!s3zko4{Ok<2%~GEcFo-LBZr>#nPk4uAQWg758`OUESMYkG1-Ei-TVi9j
ziz|w*3n>9i5s2+aEePtcscJ6^`t5frP(KL#sI*C5C*Bu;aKpYHG8al((eak^JnT7s
zcypjTth{V~u!dqrcn>}8gb*V>H`Dc3qpZ)-U_6}-2Wm_B)v28IBsh3*+)yW_=;gp1
zeCB?D_t%4c-}1n|Y<!~K(xdUzR|%Xczwv&XnC(d2F0*zYCy2AtHaFDC_sm1fRJq9T
zgY10uwix`ZQmk?O^<n(e8g8v%d$Hycv*mUP2=@2l_!9F~!*Yv<gET=~Wjh;@N$67F
zs;`oAFuxRD)y}f1mGkkde$!kPQU~Z6-Bl_!<`WhHqrdA)?9kzK`qGBA6jMX+-K|OK
zRj@b5)Mm!Vb#v{T!iVjie$##51Xk5qh{O2h3SxC+M8q_cP*e#Ti5!N&W*8*hQp<cd
z2I#1qC3w8`OasQc=XKRW*2HrH4lmSC*{Dtr2c}5>E!XFFQR>*qAI10VE_|wdupNV)
zHa(vhnvB@7j9{m+p>*gH=f^S+W1PLXcViUcQ^u-^`N>@4kG|bT3f(ym?>FkV>LgF9
zLfUWPpqA9bf#&4bvLuF>nQYQsl|WBy<iAv~rd`)j1J3S9j}lwsohE^?!Ai@FVxQ;o
zTnQV9wRx~YZ|dRV4Y)b0m$zCR39U3+T?s*9A!#T(P5k(*0e>FVr9jpm676?RNo$4-
zTA)k29CG<Kn`QHpz}E6r3tqFq-}d>yVZ$v?;H+lmvLrTJ5_3GO<gN2QvkO0zXl6gL
z8FF-g+8x!sn;X=P=aaUL$$Rt+f=fEUK#bKe!dW2?tAwh0_9R7Kp!dBcoz5v2xRZh-
zUe`sSU7Xj-u#>Nk%O;SaT&>}CSp#f`N~K-9Zz#ih3t+uNj0*AYqQ;~#6{VLm{oy`p
z;YeASF_-~C&0uG67j#9i!I;g&)EJ7j9?7@tRuXQb0O!ql!TI}%Bhpit(iZovzrS2u
z)Z>oBcpsgVl1~AU+<T4o>l-W0Kb|&bpk0=zHt@}C62R_o!<*=9!!euN0ARa%?W7JK
zFBpVwZwmvvEp4pNlUg{m3Ob?IC&qe4vJLhg3&T!lO-kc@UBp#GF|J_Mbem=K+RrnV
zZsZW-%Z4%Vo(pzHWGU;NiEaJMA?i~PhK;h3bd1+^S^now7Yh&6!#3jzc>&E}O(IG_
z<a(@K+GF=m-oclzo-5|`HyAA)Z3y{HjdWUvC(2bB%^nM2t1{Qy1uhmcZH-0siZIDH
zX#O61@r`ZeOo~6hGUrLJ!PXpDB<?_GVw}xKUgZ49{^EZuYa+LZ@iY0ex*~d_J=C;|
za)Y1d2YBgpSO5grRAQ}VV>6ZGc{4~Jt%ihVVx6fss^iMUvzpMQRy5_>1Qarpf6Tb9
z9SF3<HNxyeTp1uox%jGRns%VFu4s0&3rO+grk)OwLGYj{nH8UE%b^P`R8(#|IV?Ou
zDBT3|DSls_{NgHt?&Jx`8seok1<0_eoY+h!IHv7~G`!V2$X{~}E}8W*O+YwS9*-PG
zL*v}{&zxAl6obF4$|mrk8JV4+?ZW^5yrjMudy0kZ-eU3*+6>>dyw=PUaDdUzdYoU`
zA++@>GFSB6zv!g%*`QKLC|JP!JAk|EN2xvQB3-O$HuupV^0&MGl8#{NaiuL0CTpU5
z(7W+HPu1-tsnUxoV@B4EY^_u_*~^heDEw)hqe!pe+^z9|>fPVx3sUy~w-vMBZG{ra
z{tF==5YW>+2oUmjTVbVVX02#sWo!A}T>RHioNIYFth2>`eU)8u|EX6gAA+8}W@UC%
zvM)|zZ>w64p1LJ>I%vj=1!L8mibahlabr7sJ6{6YBK@ULX;$Ghu1H2w2kgl1y#Zgt
zy>0XLX#<7-F0xC19FE5$02#reMIkde^_Sa(1|{C2HBZl7__H?bBn`Ln)?}oGZ^n{`
z@#Z)8)3H0Y74`;ht2%?2_|#|i?;Sz}=@%etw4&>C5gZBuv^u-`ztC?KKAm|~H=?5)
z&rut`8ion<d8u)oQ0pAx#QXp(vWy3=@VPH-^d~GKH44vEbOR#2%Bs8r@}M5sbmqW!
zO5qd<6p@ohU)JZus19;QzZ<`X)#I^YGP6N*Z&>T1HC7`n3NyUGrGb*jj~|}WeP@oq
zG7YDVB3^ZBMf~vx!A%~xbEK>N^dAy<R*ND-CIggLr(RBqaZgFjb~Tf3T&~!KrU|lF
zXq*{nL5c43LS})Bq+&>6DjZV$zWZX~-fr25{?!;W#wU8F;a|URbi~eEkXhai;Bs>)
zVR}gm`wcqs90g_=n&jSz)KF7){U>y$FNke1DMe#N_O>B{@ApgxMsjri)b$ATJQbf0
z73+JqYL%TdRSst@JYWDpffC?%7A@hSB99_P#DkCztdl~4j#CPO_rWDp>ta|ll#Y4h
zXDgR*a?xfJ5)gLbCU+3o#~9kzQ-!@NFcQG{$sv3m&9JsYjo4>ESc5o-8H7{swStU6
z3$_~0WlTH%y+j`f%R|I5){4pK?L~r&5|vs_35tY^0QbQMHdpo$+V$m-P-lMyft})6
zBztlZt4bVy+u4=TjMZ<V8tQp7rmz{ai$*A?2pK9IAoQhxPu4W*sJieHQ@M)Ys(4aH
z_+rXPYs{wcPiJ83MztUtAa9No<Zt#qH0woBpE^6ACs;_+pMyjctjVJ692fMfcp_MR
z6-8k>DFI;KlgKi)=o}q>j&p~X=Y$k;W`5KZF*cdkc|y=tVVc=%uiDzXhMyAr@dTpZ
zMq6-i$-5*+n6+8~1kfx>Nl~U<uUCh%vJ|BAWue8rnoDUxU{+pIk<DfiWIsW<xN^<o
zc+m6lYy|dH<EFoalCXl~jTH>rji)V@kpV;$UQqUx@Z4~l0u?81#QCNnNSriy8^|N?
z`sReDc=!2b$-9-ve{F`;bK1PtPf9FC#BZ;-)}7D=+EA6$33V77V%GGcs@Bps>3c1Q
z7lPi$BI4G0Zs$e#0E8Aj;9GQ9y|~P9>poTC)l_~OdZ`Fmi@u3|pR?>Y`v3ZXj*>Xa
zT*KDq`J?i#R#<>>asAGYRo%dMZZF$B#)#pZjkHXqDTmV6SUa?dGa6TW*Eu3n44~OG
zV&|9mqcP<57{}<W=5X)tmJ-tFe22sF=?U6YgM~K%p>?tFa&p{m<zfJG%tc`3lJ;9G
z;LLurw!Vl>ql}&n*4_vcP0;B}@tk#a{)2q3232@7{Kp0(B0$my!*GksYZ$|R^QT@d
z-xh-C7FxE0LeOV)kxIv8={oLHkPq<ClO9OZq$w(8%_1vETrZdLw6ME{w&<tv_Jgt5
z+Tb7P()B^G*UdznBDMikg{7bGsrtK|Y>S5q=4u#eQsj5yg}2_PzmOF0#hWkLTM*_M
zl3AqH+Iqv)*(h-}nO;q50kgP91t=`jbbne=dq-R;bUL&2+a2}j6N*8dkds4ps%Uz%
z=2i?ZQz3q2ogxernQ^;ToiR%qpYs=$a&lq&dYB9_6vg*x`Pep}joNOF6&Zl7uSuM0
zH^;0<oMT_+RR%(h_1Utc?M$8=k2`1%vDV~Icv(ur!*ail4=`I*tt4AWTIt~Ww&jAk
z2qC!a_3T(v_HDQp*s?qOwcR}LSeNv4&^7w@D+Y2GGvklh!EFs(&S&e+HAz|~U`sej
zJ55{{HD08G+Oj8YTaWHo^Kq<888v6bpj{r)+p-h#uS>BuHw|FKs)pN69cyk(lg|&O
zU--JXgduKjr0MFnKCaimZ%`}(t<#Y;YuGnyAR@R(U|%kh1hqB5u2&8rx=6rZTGfJ+
zDgc@tT1(5<CKcyuB#PPCdP)t3nye(Xm{=`y<R=LI-xQ%Q6*$+65fPqBnbwQH??0!t
z&FA%Qn^X4R1PqIyT%=7nTBS7|f=_<C)S3a$hB1;Xr@uVT-<GgB90RSJh}-6j?C^Qm
zHcusf9|~-9E<m1E_Cnqy|L4Hr+X2@adG-Y^JsUZB_l6^#WKntyeBQ)+i@}7G)iGdS
z6Z+DDbN%SsLJQOS(YJ-WZwo%(7Rvv}Q2CqTU(Kx=yxpA>%fZFVR==Z0zCIjU+vD-4
z;!Zv=7Y*pkM!d_%fW8go;I<FZ9qTI)m$#emD8NI*5;%-auHQqLgPFy=#~otIvrKO;
zO|sT11E*0pqik-(@RDN?X!~z81ah^MyS!8a<PZ<8Hu60uyHN86|7i={XpK$y4Ts$n
zsXVZ^$n8KdI-<_kRPdmNTZ2GW8BW5LI{wBzyx{fkJ3LEwuI<eXX`m;EslQ?18cVA*
zu5SEJ%MqmrWSUPDs(`dd=L;FFwz^uf0H5Ud)7>S$ehD&DAnjjH#s8ui*Ds5xB>Huu
zUB_v9!P}q9;7MM+$ebIV`r{iX>)o9vJ;dHsa+VpFXm5{(rxQo0CW0HlH7>K|`qZ4u
zZ?ol3AkJFY=N=<f(Lf#)ZL5%vj4KNt{#uEe=tOQ<=fT9wocL)L+sjg@GLpF6e6_qh
zF6W%i#twpx7N^Kdgx{ZOp)QIK=wN7ZXV7I&?CDHdKZUAsu`l=1B}~xRU|0r}Dj~;*
z^jK5-^XC7pD7{F<uvCIa%}`hy*6y5=TCS4DA0tt)06Nc_FH03ic<h`%?eN`Dgm}|t
zDktgQ9I1Hp^O7`n>e9s|QwE3<K(rM?IZK;ZFdLY2F;}c{3AG>S^^O`B6&a6*?u^r#
zK%Hmx|4*m?pN{;u&TZL0o$`M=+W&M4mHz3xDI%Y{sV}gEvgWE5C&ODf$8bJymPgck
zTIioK4`HhhI?k5;k5JhY$YUwf@>9GLKJcToas%SIL0#D!cpGIY^*`Ju;krkT4qO?o
z*)|43F7TEpOMQ)J%gc3@EB!yE`f84Wmbt~07?beMy~GwgfZrtlu`d0`y7(V!&i`1;
z|Hs+^P~*TABkh@j#g(nW=eu$1$&+(}))&8#EmLwZ!E5l%DDi)DOZ=XjR~6i2hoPc~
zZ%2aM1?XF9<f(TLy?9A@EDxNs2J(64B*o^u(;-gdNWXse2Jn<MXX^NRskEmT!ll=@
zP~iWB0{=l${s*b_AEe@ckof+Cr0@@tN0K!DD7BrS0pF6>*3FIL($R83dQ2EIB;?hE
zWu6Q#(@hp|v&&p5N?mrpybjlcHqzE;(W8Jj|H?da>Xos=+b@3Vj8>g_*o0C+$tG}y
zU>jIo!F@wc_5Jd9X_a*ZIuzcCfw3Tix`QKyq@g%J9vkMgwqnZ%4bia1eNTK5c0Wji
ztfN!vF(jBE!D>VN{qvg6hcIiykhdKtNgEJ%4U&nek9b0r+1irygZ#l8cSxHc4F7VW
zg;RLm)}q{$cO+%=ohSY;x1Zn$VQ+q#E<E!1@Iwnkc30FRy5YXHEG0Rj$r0-uClwr^
zfu*=DL7g*JvGis62sU+YzoQa5Ty1Dj0tfb4AO#V95DYnGt158T3q;Fq$F9_~6z}@M
zUgkYjohe+&YbtkND_>0TPlZ0)`EllZ{@9MIMEOOlnY-#kP1IT1Lw-&3EQ(G)sm{@H
zKO+UMi+u$JvmmT@@uE%-N9K}J`h7LM*HAO!%R*#1JfBi5L#ypy%>K|aM*T|kFA^X=
z?Vy=N1h4}OOr5aWH68Eb6v@nvxbM*h7z*sAABc-u7=QZr6Sf~Gmp@PV=QX*FxrhWQ
z9Tp?l)9_fg`Fk><dSm2CEcQbu0|`4Hll8MYlOJn9wEkHCodMRN)}L5#Of^o-zbelo
zYQ}{3;|KDDmi8j7v>U@RjXS3>>HV~ZH56J$Q8`rmY!ECy=`JvebeMs37<4h%3?=sj
zIdG@n3(CZST#^Zj7RnSXQ%zS<m$iQ?cNIUftZe2<VwUczqB?;p5{FbT@h?Gx{n$YF
zm8>gvXxr-z^8HyxC8lPQ_#dyxf_S>19lV^Sggp-S^3dXZzK}s=7L(3)rlgaDoK=M7
zqw5ro$t`z5*PfI56GRE0T;ylq8a&{{h$@<b7J8W6cBtod9KUX*661}E=xRVlrM=K&
z#@6VmR0G&Uou$X-$Cg}K?W<Zr?Gj}2)~@=wM4^5Yx<iuH=Urx)M%6>Bih($EXJvG=
zCrA09i#<4mex?z&;*jd~>pQjbx~CUREn;S4681SXe}=_Rn1fHA66&@g(+0*w$NdG6
zVPBC=H2b|}?tk!7MoL}dLgD5oD)kSKnKp#?62I2&8OPYe<2~sGlTvZdoI4>f5Ro%o
zps8p{*!ZIZw*H{Mxb}PB*7RmR*tLm?JVm}g6F8=L#BD<ac7lxnI~pbuL^OZUjtJT2
z!nNF5--0@k8Q9^l^74h4`BKps3y2jWnSUZ!=Hc{BS8dESg=&h34E85b;j(x<sr_Il
zRXwbgZp6{eCL%ito`@!wI~9m+A5~G7iIqu)MxXIQVFoTwR*EHE=O1>X%sVOfTv=fE
zk*_x#E6D4(RhNk_B!80$09(9TW3Q>z-xxZ#w8faS!S0reLPD-7<B0g1O-hcwarA!Z
zg-LW+?BB9E7=~Nv@`HiHy^x8-4VNBQw(utS@ji;li4xh}QEZIwAW`to9pvog6)x7%
z2#E3QTekI8U>p~dZd#&KINz`8sJoVzRH@^d1AXVmcFY#sMnjSTeG4%$ygVha{r)gE
zvr5=ShlW}I<dK!K#MDaK7jM=#_TXc*Zu6_m3rRm**I|sSXN*SD8LQinVKF_A$nq@7
zZM|-uV8&<>A`jU#4<J^%JHWUqSU4dRZ(~0VgdRwM17DSVD*-yL25g;;jI{RW_2HC^
zwDdIQ-%QLg`a7V}G7yarviEoon-m+*mF!5LdSGW8LgXgkB2ad9dNr0UL0iEUbp*Se
z85doe8Zn;M_dA!NWAhAJJ+mf%d>oItfj4l2R<hb5cP*kD?Te%9qic<OCUMY|D1;3=
z1(UnMuDWj3$d@B*lxfWO9a*ry{p})1_N(W2u##DQgCMB^fH9!e<pmp_0}Y@HNl>|F
zcOY&0wF`fSQPyVSOAy0z=8emGxQFBuQ6Q`;yvH<zc&nS9C(m{N##s&VKFiy9PiSqg
zO@FEQKh=pV(u{v31dHw|uSj85Xo}GDcBGI*h#ZECkNscd1|7kKK+ncZ_sE!z>m&%e
zou@mZVUU>pfP=u5u}Spc$MTKyHeCwyG1V%dde6?$WlB>HX`L#|GWkO_1mb%$_i6oY
z^x05tkl&_-`mDtb{DnP{X4)}J_=Rk^)Q5e@-kn!);l@MiSWr7!Jd@V`I0tLTBI?Ru
z4+U!QsK?@lYg^3$(30~o@+?t`Ajks{_kK5>Gd$MfBke$|n^@U?&T<m|<`?>c?WpRW
zGu8rKw^=67s}<xBXVZ3EC#Ys$WZN6@b^2S5X>^X_4N}tNhe-ac(9N&J^wV|o58Tz1
z`(`$adV4tNa;lXc_>6((0NExAE5ou0ccPEL{sTGMl+j~&O*n>OhqiSa`O|MepuLHE
zcM;Zx_8i&{VXVZ*(+d&{pN5SbvZ8^#hci6&21mwejajGf9zDeyJALGiC%A_sP7b@Y
zfy|`e#N8v5&pV094-qqy_bu|AX`9tz0kWr;+H>lrtCSh{u}xO~BbX~2axLdti8>nN
zl=>_@7^jeQ?pmHi6B^&%2&3vJLQ_V2wN`O9+sjWZFlJ0p)aSq##O-Uc7U(K9O)yy|
zsO(I`_1<uX5pAaY;i+yl6TD2F<{dsL9$5kd8R^fv-aBdOXRAFpf3Z!HbpXSORc=Tz
z@Cc+YKzG|F0&_`)1>y+eeo8wlGqcx6$4_Cxr)QJ_WXxB1Tt8mF8#4`dQbqb2txqbJ
z-lUgDC?$eYyjgV{-w&w2fH0tbP;D|P#bIF&y}T4WSFUi6SgVIkzlOk=ONLsCe;&_g
z=mQ3`;Ib4Oa~lmLMvB_y=>gNkb5$<{r;$%#V6hPP)ccnJ+lpqO<yLB!cA3Az(}zKJ
z=RVPi8q5v2V~?OtW5hg#DY$d2V8Obt&WJJ)xWc)I4pqgt^2=df=(rM=aR;A;9lEgD
z$O=_Bcy=R7%QOUGIL-A49|#NK9{o;>%R(hi+S`(M+wc9XJUbGUCsagmr2*en(3f0}
zRaBulj@24Ra*nwBo?cUnSZh)%hn_sMYUQ{5<4NRuX*nd2o|u7kMd2@5>00CIIM+Vg
zRK+*8-BvjaOxPyWfhAJ7&p5J0i^MZi?B=zc7NssP?GB2!#=A~piNQL$cJUvKYWMpq
zYr**|R9dqgE4daMrsXa9n{D%K72z__&iz}tkENFOGC@RcXNN99sx4R&5%^?hM$;7n
z7HFpXL(G}%5qsv62pIA}ODwdbhkPE$N`GGql!O`-R^X^3B3lXd6Q4*gOG;GDB;#Ul
z59z_B+z8WJjr6Jwi(IWJsX!<d>N)@v1M|)-iq$F}6g6&f+!cH)G>7fFrI|j^3cU<k
zoeca=rNfe+oKjBKx(`@Fu(SD!4K_}VIDR(+)cOno*P!_{G*@+u=__z?_d@gypC%Jz
zOAQd#zA1FxTcB0`!t(V?bY@-@=30irfl@0%Vr>GEi);JIJ_DFvtlm-XQl44%^)ZxO
z&)&lTJlBcw=}9G{0nrIT6RIJrQ-nSL*5(ba<%K15DGeP|`pP?Rk~ak84>=Kgw*dzq
zm0p~^+J=nV-F*g|7h9K<pUs-fD~_jD17iVxMgm{<x=%*GNSs6aK4qI#5bvUTNcFr@
zY&#XO2w}FkLoS%`BtEuzTS&<E*(x+UX5Z;MTg?g@_(VL4v%~FMj_hGE4AJ*p%79c#
z-aplEyq?0Z{M3&w*8-3mCa75_MjOT_23%ngf2;eip&KfWT<lRdT+9V&cu1`($kX`n
zvS<pfsc@B-#7xOEy-90DfGS;UT|||-f2}WEdcho5LnkkRJS_pSZ?WGmy;Co|!sv`g
zQSO{eODA-ARGi=|jg_ljHcO=K*-l*QR$j_RSwDeG6lc7pcl+V2=eE3SEo@$@JG>!n
z<Caw7yR$CY9?(@YX)<#kcXqwwtn4_>T(w|0*FY%4oqCkGePk`PhNB<_w07jAFIG2H
zAgWQ{*)~*!Cou`4)k?Go3b$|xcL*z0vNcqD3fDRwRyCC9h{Kn)n;RF0r_BIxHcHzi
z=uRdD-fk@>j(Ha&Hzg{MCmo&}$nT$&QOl5a`YlM4hKtY^(9C&_1jHGCMU`B<+naL@
z$cb?hU!WN!nzOn%i^sH)J1nV>cVgypXZzo`aS9ZpxN|Uggk%=Kxk+!#Ww_1GKrdDo
zU!q6kV;pwfD?Hs-nV1S6ElP~}bSOMI+Pz#OG$0uza6dz;N&Q~=?*Z9WviQ<TPN}in
zoL*a@aT26yj=r_o)sD!FN7F$r-n+7++2I0EI<_^YE<pRyb!g^sA;l<BZ?f`QyuGRU
zN^%c-cR%r!+t+?3lwA8of%tr$1W4_4X}lT<|6{W});vM&N%(wk5L=*omNKx`(j_c5
z8qq3)h!|7OXpRotkbSvF*;sw_nY)3usNkrmX>SxoEl8~~77<54#`UCxp`_V1uKzL7
zm(SyOT|0RkYF_0*xkF9g)8^uQ!E~o1!>g!n@njrEP$XD(>ixS=aYeP#w2*Ww*R{}+
zSyezu9zjVyDe!yPdpu1wb>X?PpHkx*XbIuzyinSk<4Us8g2y3%(2;v=vJR+}8U`jG
z$%KrGzf)8i+pw`gQ|fV_*g2wtbAksGegz_Pr@|e%gV~-#H~vs6GnbO^qDy|4bW5|{
zyXQ<o8_>kksXl#hTmSl^5ZrW$ulss``|@|!?E#fwIN*qba7K)7jJoYs1zt16O}?Rd
zVSSu@g_NVd$ThdBg%dVO%Tj6TPP$gY3yvm{-#0C=X05mx58k<UDKW!DS!^K3-FiKr
z0y^F$^s28RbfB=k_7%kf^}u3(N72;o!Gkqv-c(GJVMh1M=hi-hg0Y1ZI%C*+vz!yr
z%Q`J4H#+hZXFEd+{i;I6(N4Ksp(Os*%eXBA&vP6@aH}hjw-0rEENWEI`!b0WA&oCh
zXL3}hc}rpw7Dn!MbPH+ldF{*QYBd>mDDM1C_?-XGgMQl*`^Zz3{Y3Lc*-3cmTJpvm
z;vNDd-3(Kc=?sayvxl*{zRsf+zupt>W6q%j8!9FW7;t>-Z#6Q389A#k(e+f(eNIvG
zyBVhQ;=k|i%?KUYGIdDko)_2;w93@Q`T#8r)0yd-*dNF}bj2*`{sVNf?O+-3xyLXu
z+*8v0ChD^Z`33`%aG|+lrc=kk(u-W2=ziItUvY~y;vxOHIMH`^l=n-=L}tW?uU7t6
zh|H%d(I9QG5Iq~m(e>=ykSA)e^&*ulQCxK_Z4FNx&Io;t9M1S8$Q`j2H+0F6MurYc
zxEmqBe2k(Y2+mZZro(1SeY(mxxqae}IaRKfF;FZ>JK*ar;w0X3h!3k$wlb9TMpmMw
zP)jA+h)QJRZ`IGs4EKcWXON^yY}IQQT0d5n{R|i8w3PCoqc|5JgB2SU6{BAwW#5!R
z=8chZ*fy?Nq6FukX6t0&qXuG<j*`97VTEYC;rz^cO<MfDidUdmjqMsoamGc;lbo$U
z1r*`)gL2IK`uQ3R*1`!%W@5eIENvf4OY#*vJwvgts-N$CeAPM_u>aIbkejbfN3Ay7
zbqYPsYL784vI;)+o18;=9fX{U4nzAZVK7GNo2<-H;_Utj_2MH{aFlV<E~qa6c#|4f
z&`0TSyo>MVUqnjem%LG@8M-ZM;tVia^*@`TodrWnr}EWK>#f~~1;JQaWg=M-^LQc8
zQk=S6*UnNL9%{f~5VAwL_{~vZtOt)s2^41Nb~qZUrSQ!Z%2XIdo10Zh<fu}3>2L6+
z&qMFH<h~_@Tuzy-_P4;HG`J3<nC!2ha7-TTPf#1To>w`NalNa_i%p(oxn(aO>6~qG
zrgY90R#(8Z<1=%3RQx$lw<~A6DO>1SN)lL7>RANnm&;DnTmO;JQR5F?WpizXKFDD4
zDl~T%_y6NWedwQU0m-|h@plY$y~137<Wm_xPyIxc7Eog!b&c79UW&RpYxvVXiaXN_
z?xSytHXvH7rWTgXxo2=Nbmk`e!i+R|c>rmOIJj91P=ko<oZCasl1e4mAd~1N&Vs_<
z@J?F#3@7N5@^in5dfp`xX)C@)(?IkRjbOAMeua*ul&MynIjO|7Q^?Lr$ac(Cb<EOO
zA_18O*YTnD9ZY0%W3bMo4qA53`0y?_+Nb7n)_4?VMD~!PXf+~{BY`Sz$Ez~POGmG`
zD2Gv@Goiu)kR@FRb5{I!W-~Z#W<_BQ94~-m(cs+g($eJIDM?utJLyWt6)R=-ReLOv
zCbs~DSlqk}UFgq7%yL}rAXl>JrtO^<N*(I)djzo)iVqd%CgxEBS;(*t#XDSD<B#xE
ziEGn^I^q^xUCQQ;6}gDaT}BE`a|ujU3Yn9a?vR;{27b%AK1;;=`m^e?;?<N&c0a;L
z7WtG)Cm@P|&r@BrVBJF&z~W*dmjCX<q$<2i8SbSbOFOf2ANK<M)jp0lJTqTEnVa$^
zL86C8aFR|Vy@th^7??F_vq^c{`)ax)B%^O;_QM`wdAeC~^lj^<^pOzPY)qBqkgCK`
zUNXJ`9e0B{XEAdwE^?Q?T!i)S_izAREAkBuM#DLd#Y#ho(Uj^~Hh}JJQ2o(j0mOK9
zX@lt1;{wOgCFFBbk?@9*i*iZ(%bev;`qUzDhos9=6a(Tu>BEx_>=eE5mS+Pl;WUJ|
zu7yQbH{$G8$mxL4$rZ`NZrr_#hepTh=47WU^p{5zr~34XuIs{G-!{TtPPB@)@6gkM
zz~_N$Ve>M#enW)b^e66-a%9M-lKd$pos*(`cueevnjJfr#VNtP`}7{Nu~^`}D2R@-
znd_{VAn34R1oWMfHFcVE%|z7IXW9;!SrI%flexihK27qP?2EJ8_~}c+c4c^<vBvo^
zPCisjuD(H9Oy3_u-_99-`zJw$=$;DPv&Wt#2*h11O{klu+MmU~F)v?E2a~&CrH00u
zF@>Tu?+ZV=_4D_8ZTPXnvw0mEE8r;<=@|q!;N<xoa#S#oyUYLtt!6p4<To-{b-5+;
zM6{Z-F;Chm_$O}(bMdSE&(N=(6i??oki~I-?}l~}vzA|KXf^^JFshAGeJIC<Mn_MI
z3B<!D|LPxn6s_Jix@5K>1dAV>7@(UpF?IQt>gU)}D`;zP=06p%HouTBiIHc1Y1M(8
zlGXCf$SmsY!K(Yz_MgmP<U&-nY8DH}r7K;`Q_8C)EkZJJ%Pt&<LsELk{dZ`SUpR2K
zKr2;S(2gQzEnlsc`>m0*+{fC5>BGf>#!LI@Xh`X<_#S3+(h8fhde@A`=o3$snA~Xk
zD61;s!g=#L2#TjL9{xwsP=3tTGd8QhGzNyn(Z}yJX9*1fzd*qxt=Er{l1#>%Njajk
zsf^Yvz|UK%I)%~5+>Uj=7U3<?quBw^oqg(0+Q=rJM+R=FlQ<-~7j@N{novA1vvRL9
zcJ^$Au0)G1;4ygih;dGy)qzKqzmtk@H4vKKBS3oC$R@TB{D9|a1($l<FTF9>6rNV>
z@st+6Ld3jQaEOJXk(JCMgN}%~168KaPb^9Zr)@5$Rz`dL$a^&b<1E9*qfY+o_dr$w
z8nF36i$AxR9R<}TX(8Cl(jRzni~j-ud($Q9_lV|%#QFkmF)HO#X?Yj|1t(6I_+4pv
z$;r5tzw%>V5)@Rd(z0+A6sxGHL4XPeL46MFIH;Dy=nR4cdFNR@yIw{<IVK$u;)gn2
zai?W)uc-}zA+X4z7u|e5W=hx=&xD9<8+(ww`Sk$0<#i`CFT0pVmUq)Jks26Re(xPr
z=~;e^6J*R>>8X!c3A@SzMaZ@ikJ$ptAjM3ln2z7GFoC5eClxH<j&25s4^!I(n~{9G
zzvN~d`1M+(;{FmPO0?usakgJmA?)Ia1(yZj&3m4o!tJ0nvDaAb$?=mL!Uc4_b}+Nm
zEpE{dXnU-@?$iaHaMh$&J{~?AS$x!?cbA3l%;x0&Fb8{I3C?MO>0^J!cght1JI}l2
z^A+HAN^p=X@$e$Pp^%!fKgFZ=D}5G%uuQt<#M7xEXR_VWE2w7&ZuW*$S8oJ@vp?tW
z4PohC3dMEIcaQh<MK`X+6}K|6`xpDZ<X4kRbDPIB_iFPd-|E)#2LJL3$LT!+JD2tv
z|2bYmhqFnHvTS)${h275=Octy&gZyCC#;XSy9BH<CA|fX9yqQ=jLD>HOdkga$MRND
zPIWtS2|V*yf5lG;TR-7#8PxzRx2k9o`s&Zlzc$Ub&0QAFbzL1Erp@y!+^3efRbu(i
zNztI>{_160C=;o3hh3jAMtl2IhN#|zfkYW}?(c3r#-6yHu;pVut(HcgGKm*s0(Lse
z^^9{rrbnE)s}s4=#na|cR)yRF+D0iUeG>Z>m+cIn!jh<dDCyp*+EG+1Jb7;H9-mR{
zFmc|SgAExHTBGt5A9M>{guDH?<T`dv;{5(Z&*CYS?*=|lYj;bS^%0C%RD3@7JNBy@
zo5=T|rup@T>@fL69qWXzpS~v^Cv=MQY&35Wt=UyH6HMv5Sp!Pw{Uj`d+N~J1G+N88
zDDGM0(UT06-hTyNY_}76U&xNhniSo27=i1XN~rPK@=MBIPA}WHm~MD~GV9>VmkK&B
zCDLi30_s<^=JfOCeSY`&Zqp;SVs0~knn9S9^5z|1PZuAU<aM-Y-}NBJ4N4G*MPo}>
zH!j_M#4Yto+tDGlE8R3z-s*7yDe<1@${4{LhG<@O6nJDvft<n2+X~H5)Y{eCW#;-M
zB#!>2?E&mazxIi=D%>J$cn~?pM&bVP>W61B`lEJ9u58T$bzS`ktQoZrquZlb^!M%$
zKa{n96}#x9zjti^`{nJJO)#yRse9#J68-aX$iebmuuP#r-l;a$tlUHBrAVKLBK_i`
z)%~*p%ekCh`l70ZgEJhPNn7%Wz)9vvE~-sEXD?@=nu`3`+>lKv*K3C_7oPA@!wp6{
zONPAsx&O*J;~P0T<0`_VJn&%8-vRbeB&1Lh1=_zKbQ(!j?1mCR-1*N1r9;l}<+1cy
zRkvJZ#sqrqLFOQuC;M5|HnOEKM>i}`SEOJ-t@`tH?k`7rs-^1n+w2_-td#;6h0{Nj
zQBFp#d#<wj>xZWTh`#gyPQk8dFqL3ePqla$33tFw)`TOQdU6|_E%mcKQ!kgb@#2_(
zG(iTlN$y(N+q)lv?p5wR6Y!lvXJ$rPRVKXnPdIKtlP9w1E#UY~NqTB9R)wk6a@0zF
zlG7;021L{@k9o7&j{WEhpcXU)sYo1U2YwArEyd(*9;vzB#-cyrFQ`QP%^2mxy%t1P
zk{xAKmnYdP^`88;A?l-_rM2M$g)dSUbfE_2lyf~K3)zp0`6nd7N88oK!0S{xuoQh0
z&$_`Qm%kb-C5u4Mnr8#D_0971Zb_th4pQ`-zmEBDc8XaDGDs+&<EkGK{?a52FDeNS
zSXs*#|L&*p=vY(l)choVLHGzuLYx6|7F+-5*c7MkZt@}q2oV&AH&0%S+L>o9CbgD3
zck3LVIsWWAKihhzKc6GzE&C`!Pio6kKUiL%5pf7~)=Ig)3cU0+m9=eTLXn;cS|50b
zY}Ys<Cold1-N}B+AsvjR8CaDxvI4g7cJ%d*Df#;{<?F-d8E~6=Bg*$cPu4JsdT{l#
zm#Fkgd7|{yG-~~)yJyJF*R>VmS|@bxZ)Xjb{^xA%Jp_|nJH<Kcj?{|wh+hx#N_%>J
zSUXbDH@NZM<y~Fv?Up+>*I#3<=wG~FO{}lr)fEYkTqD_Ty|0`mf0Hk=baP;-C9jub
z6e*dkn#79*@xXa4dA~fFp2}F^A66JkWF{QY*Wp(5h_dNIyJMSp-5Gg957kMD)lDaO
zegt8lK`zt6bHM)+17&V3n0|vtE~q6c3va6GJ60zJH&H4=#>+TA|12k>2t^BCn&cnO
z#9#y;E@UT$m1Y8v4Nv8TLzlY4#^LbGQFs?RS1fB5pCdgj;N?<VTN^D#pN1xQ#*STm
zk(WUnU8~BiV4C9Ou?vV2(sLGZo>b4K><%J+VE!(<{C>H=4IV|%10c+qX-4*$4)P|*
z;rGMYvhr>h27NrzQLCL}8S`>e^N!iv)T>WFE-k`SdD~;->-_SU#ia~>BaUKzJMZi2
z3HTb3upUrC&J$i*fbC{nl6($wJsXovd~a2YJ0&MPwP@{V6caHI))%W)-2GI>hAPKm
zqpyltmSR|vq$b8lW%FmJGr}LC;ajyNq<;vNF1eW}X`T6gMzYBSIi#89UgUbQH9l5J
z>H6Dj<oOXw<df8T2$P0*4=*o}dtkD@jjipQi_7hO`dDIVH@$1mFCVdLY9f8fqG3s`
zw?MctmCo+jyv`c6UsbxU6nIW3!IpHhrvbP)RAdv>q*J9xld@8an2;6q(vabjJ)(tf
zefH;<>+o33%`L{4-d&cN%p2-Sa?MG@-0dHleVe#`6XbpWVUarH=Gh4O1BO}vn$3-M
z-iug}z+}mgrKKIg{uI-SI-YCNHp6{7@KP?+PQ_H+kIuav3*v*X{uj@@<tq&7wDkvU
z8~jQI8<ZA0SW1v`bXO#fq3L*fm1uI7IQgZxslNE8(M8p^S&QI>n2N-6!#NPm-q)tL
zKB7PuL?#?4Pcp2Th-ljv#MTrH0R#R}am1s{VO~ymPLzA$f&Q0Y(R{Zczn}gYtX~Ae
z805lr<ekSslJS9#%2s0F$)L!H#22X7)cN)9;+zZ^W=k{vuEvRAg}25U@@Tg~6a^xX
zSq;tVYd?*R!)1{Z!CGR&Pv}|sx>IbP)$bpL^&{fQE;hC6RMS*G%^p>rg@V*~FnpGj
zw<PJ-TP`i1Ev|9@G;ZxYwYY0*3IIxuZt0D9)IKV)_Ttl8zUp}M*blK<IDwceSAyOf
zf@+6)tzQnqjh=85Mq|FtV}~&a4|<qbqwJGn*R4UZ(q(q&aan1~F{kl+O~?=CWX<FX
zK2}bB(OY>*<r1N7G#?OK;L#HsM>EL{X=Eu5@&PcpP_g^0#zTavj9DEhaZJwHWh-Zz
zB()@TagCPI8!3$mmeeQB{8|P{HXjt9<EL3172lk#fF2pptG;ExAi%}teiS$Tq+*GV
zT!_&=4>-8H(Ieq1BQyESVpF3n%T~@IPu)dnxrjZ#C8ci|1yL~8kaZuJ{ueT=y5%vU
z1l9px!(K}t-e{p<!Ggv-@*O22wV+(}yEKbau|}*{?mwqioO6~{sBX#`nU|j2NkvmL
zKdj0bMN^NZ<n$-#@RU_Bqn1_VH?%yIFm=oUD*S3{v&l=C3=E>F9Td~@M-^Md@so^j
z@<-<Z+~8#u<eO=c+%)%V@!T}S8mpW{Egb7B(R-6cV_7qh1N3=0kXjf3JkrnjzsB67
zc_gr7>F6Tj2bfW;xH|?h_i}=s@wWY}S)qfpVRbHp;q?#8*M_+{zf3|@7-<D1{YsA}
zZl}~ciM9FFt*+{xtkQD84-n<zUFX05?1qRsX=sUA<(^(I>s5*RxDWFX#z*415|0x%
zXa0-o<wO3ckDhNc%>H(-h~`{v&eiGeZL6~9YbW{sBw^^{eJyeERt>xTXS+XDaQe>~
z{d0=)6QR<2y|_9d7AmKG*iM6+frCGRzVCy@Vg!`lG7icFbCF3T;%Tu9ishz*e;CxB
z`uDv<gnRlztZGwUq}c{M8eJM<2KQa3p1c{b%(Og*JP-NrgbBG0=jOjN5?B|J!BCC+
z6eYO<YWgwmvB%8W%B0v@1NK*Rk@MJ1Uc^Ae<#-_G#*F&Ddwa=dCHZ1S$TxUbxo_~8
zPVFUo0Hyzd-vcasgV(MnXwQnopmSV{$DkY5NdE`E{<tb1P%IJANf;z%OZaNj-TTVh
zN|~IAv7v;4ucoSA|1Wb)>yPnO?Cgb{G)Xnuyoni^<cHJM<@2wiSfdkNtc#phX7j^-
zs0=f%;D)Ry^nsa`UYRoT9;w6>7?4!$Gqtsl_T}w5+2g}0CzbSfaEAf*IZbqo_EK71
zXA4u3d<XDI%Cg>|OSm!XjzhVbe6(EpH`<Y1920)7|5oRjS~ZhY6MDzDDQ#>m;parL
zK|!%`At&9eTI5<Hxw)7AQ5$?b=$`)LCNhc>Wh%}!x?kad+DS3lEV5q#^8!t@{q>h6
z6LIyllLT?~4;!=7!2Mk$H;?FHi_GDOsoXUaySn|r&Fs48;a(K?fjIdWGNSwVP-ORx
z^Gc>hL`d96RIQ2Ca0<Pb)ivhamu#|n8@NRzob*_Fp09vWwAoPpizo*)J?(zEz-VGe
zG`*ys-lqzICcu{jA96^2+2$jdhgNDrin-U)$GCPDG%>FUBybc&a8Jg9SeIs2PQ1Oc
zSB5AST-~ZNsDZh)j3QWEz0=6SWtxT2qfAlA!KZmv(LXCdToY<Tg6vf5LcrZ5+9*gd
zLwMI+&UYMF`Vc=!CQ4iO6?Z!8W`}#_gZ@nbkP9=nq(3d`Pk{X#^A3+K8m0C2Y)}n}
z`|BsrT8xe4JtSh!PaN5eIrs2EUhqW(3DI)&zqw!%%U$}P-Sui(tKH}NYE@kjIc`oB
zsRjeX?@k-F`geojEBrU7v%vIBz>WN<AeK57$!EyA?n_~+eHsS5Qb@XkgLuG)P(MX{
zOYM`msK;1@eM=*pVZc%`DkOz%(A~|%Y|!`VD$`>%@!Ze4XEf#toA>~F(_XI%NI{OY
z5|j4$l(5mXv|~zmR7pB$$r51w8wwBPh=N^KeVcq#x9TT@p|qRstz1r?%DHfh?pN9l
zJ0;aCw<6K6Ob<AH8Lcy*IKHjui@6<*Yavc&4)e)kM0gFXnDdK0k|mX(l`EAZRwo~1
z`tX`j4=e&!*tp*#@*D9Q3P+VrOK9h?8Vc!Gsbn>bD2<td%cs>Og3G^iW&Jx>erkq9
z@1)cBIq`*G1z00R?V{Sw5&of&khaICw)i$Y@}FUrcp7QeOwG3@g47oxG3$;%Fvb&w
zM+&$csK_7Pi-evi8?oFBo?t^u@d#s!C^yggv&z$0B;-!NDva@|if9g9YX#kgB1#L3
zWav4y$LB4EB9Ons0}8uk%ot4WOlSt@64tf{SH_MAK!sfOza`H2Z;3m!r|u2>Uv1qR
z_*YxCD?lbCg`?14EySX}d0%9F^EN*pmNSr&Gq3?kz073~wRzu(pED2{Z6$$~i21Lu
zrV_LPvr<4W-OV4y$oL<e&Mh**lEYy#AeT4!BaEduWvb@3@Ac2i&ru}fQ5c^#?DdC!
zhqno?rx8P8_!EJs+_UK$?wP5Z)x?XTOW&!SnOe&@6vin%Zm0i$scffznwLdSVf>pt
z0ofo(S_8%4JC#ZPr81U<4Y#pn>-aMGZVMSjFIr_@5-lZa5jJ(D?o3I|9A%)~UNsiz
zqY)A>!f#Tn9v5DZnrG;DAzR~MIZ=I|P<N}5*qH?(_j<VvuviE;#?{7XFau1yJtfL3
zEQW^pdoz+D*EIJFEQa0h@ST+Yd6!Z9IBVSZ*4$$5cwxUCjsUGTxc)FaUAJSrl5=%z
zMmzdZ{{ITdBXz|p)wQ<qI1~1o(s?=AhEhfMVmtJVO~iF8KKymzudisz(qFEeoffU0
zOaI$;r?w}jXEZ+&rT7&EpH&2Hh6EXP>axR(nECrtq&xJlzI(5?O(f&rA|7Vz>yK>X
zDq$XD3%}MMXt;1yxWep~)YSzFn@)9Hy(&IDDs_xmwgrQFf*tS|+w%XAeS{)Q)X77(
zmXapXDn<(tSBEaeD08<pStRi&t!_AuoQTp$l@?)FSh}1X(^F*g3S+2~uMt!}0hZ)B
z@`BO|!&=f4a8onSdg;jdCRN%w!My>F^4I7|_!Xn3e9n+e-uZQiv~Mkq7rQYC$r-vW
z^((w-axLu&zB-F=lv6hKIIxoAvF+0W8o%jPV%^r1d^NK>U=sAZ?ry2^@LX)yd+d~|
z<VB3q%(`#XAp`+?<ZnN#7*ybgSvSV79pQPb$!yFvzE{+rn`oiEIlx}=%r-e(E3}jd
zAp<Mg6=iu8Efw08De0h=sTp_@-)X9><}rguZ6<-r6fDBf5?{dwotH(Xym^?NYswVZ
zCbM${J`jT^9*_-|uZuBoH>-2XJoxrNM?{3i>(Zb*4$$^sBOZ_o&^oZ~|6C0MHMg2l
zKyH%}tQ#J;O)E*<YsEIPSP9zOO+Q5oZ7B$EO>^+w2@rML=U?F)HN=qtwzzS^>@fd*
zBLQ6WuZOQ=KhJq`uN*!}K{@%zX*>!Ubia~kYEyk~wu89~oUvZge%?;f{;V71if_eg
zY3{SNlfYb7l>x<CSx)X7Mj+vitoXlTBdq+rG5xGtnM#Kv!E7}Ti-WyQE|L<ZM-bk0
z!g6cHdYNmRbCKi6qGjjVRKmbflXq<|kHd0_DnwU&Ei&jekkvww-&lCdn(~iyIGP>$
z`a#3;|0=o8peD05970vv(n2pP!Y)Dp0a2=<3DV^%C4?#g1cM-Lfe?xyOF&&z1SttB
zuq;hN2_|TQAOs^tx`qU#D-b#e2<+#qcjnIAyFc#vew>-}opWa1=REIo-kCG+OL>!d
zNzL$X88$5cE`ET_XR703ZB%&rHUS$T_ZB4;u-pR<2+2~fz!I>s5|YHoCx8ql5wfqJ
zd$8oxWd7lYmzIP^y?3}n*kpga3L^K}+9m-IHCzKA0&Nv@jt+2-&fy$cNgA8+LP+7Q
z2QyZ=;>hJ-;KYJ~6YKe$r?odXs+c4D=j(M|qJ)xtP6jn);PujSP+crnU(fQ6@lM}v
z!sr|4NqbH$K~o_P&6<NmZcIx{ma9JHkSX&GXAhRj+A^rzHcql|b82u|oo5RTZr0{u
zMA9iFs~X&NX6Y;l;U~h~Huv^Q^O!tyX3k<&pmmBX**&~-T8L^YmNZ_#oivgcc1e;d
zNjwilea6Wy1cRuuj0g~mBbImKM>NE_0*H|u^^sx9eU2ToFpcB{7^|NI1k)UAdqOlv
zX<E$7)^n+awt|z}4@&_f+m}NCBLe^<g}&q|9i-xXB&`K5+O-!hT#HqZsx|3G&j=RN
zzGTkpL5<y5rzFd9{S=JJ6sA_9c&#Z1dM=LF!VA3tmH6{Uy&;L-d*tH_g$Y?@o}9$9
z6JF|5N%3t|GzLON_!Ddp6JBFm&CR9WsH$>~2~;SZBZhZO{)X${f+WyfiH(k!@S6E%
z&%@;3Z@k3@M08I@S(2Becy`_dJzpH#c0ic(F?7lWNHd>^2T1b}APwn{fh4vkcJt03
zscc&@z1~eKEQXhflP4*@1Cv7R&Q$O-u?z)C;>J6G6(A<Sig`AkoXY;e3Rn!l3TaYE
zA*Bl+UqZ?4dkNf)<A5ih-!|uEmh&?)3bEU<F8c~MH6O`P6x9|0Pfj!)w9X<A_8(Q-
zAJkrrFKcc0=d)2gFq$x?Pi+Z<hJ!DZe%(=0uxQ5Tln=SEESr8Bfrz``9c0Wr`5;e7
zRJn>i%YU_6yX+a107Y4Qj`fG186E%;&NR*3YcwAga<BY5$VjgO;@WcrXcS!~bttXJ
z<Mo%6meO#s94u$$UAd~_GgTe$)A%Zb38kg!Ll@r0ov=Mxc~@6-3fkC^a#1xZ)J;P-
zZ;pRpucQ}TdFnnD4Z&*8(%@ME&Mp=8@OFW&pUF4FCr_T>tp>cP0VU<3*bVjw5m2k(
zuf`UL0(cdE$EzB^D`*Mdm^%D#yg~rHI6WRUBk#i&%mOt^q5yg|1N2HBUb=p}x*S`L
zN$%Jmp};gnP37N5oCvk-3OZ?fq>jOm`91uR=l2`HK&7MXv7Hh1iD!|`gD>?g{UW_F
zsA(}WU`>)1(|L8Kepy3(um>elulA;Z_7ye$iR~wSn=ISGY!=fMZizzX4qCDvcW2V!
zal^BjGE~-Vhuqib2}W|*4=tp|_zpSTd9`40{XWO4U#G_Jv2|cLT-8FheG+^cx!;gH
zIkmfqr0(2veQ9(?U1u61Q{`IqO;iSP8z#`R>HaDdx!Z$o2~KQwQ0p#fd3yL@%=zZm
zwSyu0S!t`(gG%9v@xzq}EarsfKG{`ru$r=7Olx%Xikps}AD8nki|*M2CrN6_FQ>Q-
ztv-TnoaF-^zuM`;r*^ZS*J=`5T)6_}`t%G$Y%FpZN-BOTBVFkE_&P`YF$@j57t?3(
zm5~JF37<^!xxQDRNyNu%64~AeAs@azNBeD3sM#-Ew-Z-(N)bOHN)r>pPyc3$4*`2{
z6+PpAT7Ws2JG`u$GdZKNq5P?7r%>z&&(k3BFlD8Mld{H6J<uzp_x5q4bq!oE@F!{c
zKf?^Mkg^uvz6<9sKfl+O%^uL3my0<`oGjrLbm|rDHCvv5i1F|Rb*oQ6td58w3e)UO
zD9#y&>8+=1+;2%F@EJv{9VojL2ug8|ITeDy=8Dv_KAB<rD+&w|v7<z<!Jn+qtW?!J
zqc!N4`(n>!9Qh(>ntuB^&UTyJs0}JcS(R3OZ(HQN+#mbTgpFCs%b-F*n*6oQ82N0`
zin@!z-CVcb5Q)O$PYNCWT!AMf$s!JsZREC!4(?PJvQ4{Pz`DUkNv7d5cK-p@uIQ6p
zQD*){)k}5<kazK)7b)v|UfaKA`{fdkU0s^xkK1sVCck>KapAPCqNbN^x|Ja;p&~wE
zNyKuTaD*W)b}u`EE2ALVc|d<HRyH!MRVG{_c{L??Vdr^y<S*Od`wv(z?mOca8%B<V
z8j}~?G2!P_h|k@o7(wD&*1CKZ=xIc{fs||t^HwyEvsttG{Pvly-bnCxn_d+!oeJ{T
zTJS-ViTKN0isu*NwD?+7pXr11I-8(su$!~C(G{|9q8^SYhGzL)PJ><7XQ!Bmn&MwY
zt|p<uf%zU8-Gl9!HeHn=>delbID?xwBQ4kq?9$?KwE^I1OWPBopOv7H%$-XQ4NMb%
zd&*U9fe_sG#6<}SvO;LdS;DQmXU4nZeQMrDo>;U*AU6GoPhH-T;IsL;FQk#UOOa+8
zZfyls8Xp5{y6F=&j+4Hwk8?}5n?DHq<a?$b7yi}qU;GuT0f(rJ4@}a!-;L2GpH?ev
za`Z#C*{b;=!BQdBD}rB8ZjpJ&;~j?H_+?<Z_L>=|&We^c<mB<VW^ayl`lpx1RlUA2
z<E+}0<xSuC8f{KHV)ERT=PgI?z}r^Ff<{Xoo6cY3tAn&fMIzy<iaiga$r+r!EDt>g
zn_CfhY5VG+S0)}kRj-ZR*L2f}yX!|e`{_f+@Ls={RH%3s$T$Q}eu`9)7GhAUI>H?-
zJ6aU&VrBHrLTj#|G1F%LTV5HCPY)}|>10Z`k`Xi`g1Opp%vBrXUk4X`TxZvCyv#7S
z$flE^W9t8&5;^3jPF~l6?C%AtcM$Y}q4McQDf+>;EKA%|nx8uF_kS)W5dU+9xVrha
z8yX!Ex~Bfxav>f9Di}Aa$>s%@M6(d|n7^JBv#ax4)*IB^NLIj;A`HpDj<KWXpC2@b
zW4kRzCw9B3eB3EFgpiB8b#i};KKOj+|Ct&wS1TaqgY#%TrQfRMU{Yt!)`0|PtL|SH
z*j-wrp|6!5<J3q)+U5@~c6tZE6x1rGHseIne+>a!!^3=0>71sm_2pQ&6w2<(xRqqc
z7u`mSL4^-WK<d_Faq!q=Zz#A-Ld8u!z)?1^zCY8dYyW58Ro3CI=F0dXr;{xQSRC}v
zWvYObau5ed>3avXe<)h@pPT%zr1bAg|K7wEsDSlfDe6wP+&tf>fPwE8(3b)wvOu7}
E0M(_XjQ{`u

literal 18406
zcmY(qb8v0X(}x?|wv7|pwr$(CZQHhO+jer|<ivJz^ZmWIZq@x`&+J;$>r>s&%yg|;
zySKa)FbE0&000Dl3L~{z0EuRh0t^6vv=jgU`tMaEM-u~Q6BP?#6H^OY3ug;E+dr00
zcD7gA7q(mMXy18d1l`cXa5NkeTj$aZIRWI9reNZxoidywM37LLg|xOL3Z#@>wru^q
z3%yIc6S+c?jU-bNoDG+@u71rC6uPs=haCx%r?`TgeyY0tM4KK0oB^v5o(vf4Xl#WH
zIrZTqn<aUQ6WVgZ8(b{wZt&Ye<O$Z38`kzDm@Ai8bYs@jMztN`J4?*VpD*KIT}XF%
zoIcuA`3?At5mGsha!{nBo4A=3QpoGQN@S?gK|a({8*Pv&%!XL+{9$wRKsLGIW8R9~
zLeOeAujEud=GaT}4Zh!o!l*CG71Ygd(jJNAoLY}`+?fcZJ!xqn>LfWG$hASv$y8(p
z95ICg1sHgjKeL$3_vs<P@kj{l?1;z(mt8M!Txv4pX}FAsy>R*gr*nyMw;1%ikj{6X
zUnbs|H&<U&%w7#`V!L_Z(u_z89GDD_4!BVo((Q_rN@_dV!k(~}O28>KMZ)PsLX(fJ
zIbI|Nic0cI+=QA4xb`Bmjj=w7!O>KrB-l(AdQA{$IMC`@W0Fhs!2#D^Bybc&=wgH^
zf^+E1?yUn5rDBdq5YzlnHA&h?!6VKnjG#_(>5RA|uX{hA=+o5oVpNJEv%tdO9AF_{
z>m?qv6UpKwW6S+znU($wHDJ07QAIN}v3YX`?wdD={v;jjMtJ36-3EvdSui~5!Yp)y
zMtmxoj#!+#-XO0-3EFeul8bl-O8U?qfCID-{{p9vOuYXl_Vh?w8c$MU=E4c|!PP@%
z@^3=Q;{qoTH28-=%BD|&JEy|Kj*w_s!g(Y2V`7dnXIuHRdXOKrNS2R@S4I~Ks4!$9
z1_?P*=_d_d4nY#7XVX&|Ar(ZPix+n`ujdp^fDSqmRwJA`78!aK%||~`@N<l}J8`qR
znhSeT#Dz4I1QF^xd#ljE8FGj=;2axnY)u(^sHYu6X35*xN^FJ83w7zY5VJVWJm1)z
z*4h8CI;LMyWCG?b>o@#epW)E52NV^@M8aAnYx4I3Ob?ST=!eIE%?m($>Ysf#W(FUC
zU4ry*oF@<a2$TEZC%Oiuw~H+2FD{T1#=$a5Qh*#X9R(vap?9HSR<KBffMn`Cs!5oj
z>>l!{hrccEmkye_2b$-;Gl%){w?$#PTOv8iHNh3DkJDUC#Jvp$a>i61%q`(oZYzo&
zk*)lv4(!c=m?y5^nMPR*MH<q{aT&y{tF%7z{05MxutiK*i%#1SKaqtZoocZ=_MEr0
z?tfNCnZ)fE5T!$NRc%sLZ`=(F&H>DG58ucwWm}s@>t|wb@a?nz#Q7Ccr*vL^d5NZr
zuzPI!*n*;Ttp)F;@Q;6T_Ji$~R5a*cGXxsgNMi}9T1?SCU4vj-8Ca9ITZKSk9Zx<2
zojLLKN|K5xJ(kuE`ZLsv^q2#MX{FLXH<eFcB_tIJ8sQ7Wz_Xx2jfxhd<RPED42%P_
zYhs#v%6H?@@!$ZD6=NC^<16q>5KZe{K`@g++sSR`Qf-IZbPwqzap&5hykhYr&g1%|
zk;@e^TNwQAWk%YWMy2nJnU3%@M}p*oQVdsiM(F4q7-(n>(X3qZYODv;SC=qGEHWIQ
z9uxzUc!Yfpu>-Er;5d))eLSpMP<j491a$f%&>4=&2bob$hHm5$!S$1AIyqRf<x`Jr
zHwK1;vdd7K+_QWwM4h%%BCnor-<wLMgd6biVrO77pnwI_(=xSFR2aejO5i3O8aVT_
zR5ya^!LM&y$fuVb3cmSZE{)<(r0Un+rk|Q7zk2B9KUU3snr=-W6;}}3Xu{89iX>wQ
za;aQl&clM2JK_E$!J+)Yy|CYN(TWhHGZ(AOH$#rRU|mdjp(MgO*kj5te+u}0FkuK1
zgZR~}Mrj8>_bebRSuLZ?7h4c6H)rN|YJhy(PGuXs@{GSckB(o?Y8aMPb!cVvMKgMU
zeO}&4?5u*d;W?c<OcOH51@@L_>YF~^7AHR%9}XIuw#e6KqW>lBOv(N<8c|sIdNn~S
z>8T7v*q<c6NsZ={)P!tMx-_hJPF8~yb4}oi0@0cx4wQ=mtZX}V%uy8ca-D9*J7|f`
zvw9YGUQ}ZKGcAO}flUzK398<PIh}tKtG``)LL_S7t-r>%XVfMLbF+nhpqLtUZV5+C
zDx+a_p4bz%6r^+}_2@UR;FxMejE0zjsmGSa*@|~Z-5MhuV$g3)-ob=YPC(im#v=AZ
zF3kv@5j|$18eokBwZ+XgN_5N{#S@Ji1_O`MMnLvxQ$n1QIj=aly)I!MvqtEUSZM&8
zQRq@AX%W}gHU!O#s+P1dh8A!x%^1Z&479{ti1!QhWlt9L47H+VL63L{w^+_4FE)-6
z9y~P?|I2{P|D0kmXd<)S;BK+m*o>J3qIXXjRN*5A4epB&&Pv!CnijbLk*cKcE>PgH
z2`x}D0UFT83u%o3gGT<`A2)KARE9AvhbF+g-U%WMt$yndI1$pY4%>0Bxd52o%WI8_
z-YzKQwNXzia)%kvt}*FZUSmlHXpjc&j4)UAalFpnkR+#_^<o-B#QWK|vfa5t<2%Qc
z(IwdHS*sj#kh&{4?V0FOE-V#cj6eyv<00*%TpvqhF+0f#S^TnMFh=y}n1_uT*N@mi
z@8ljjlNCm*1!OBbvG!j9;OHVsV4QS$h1^E`o+mU)DXX_-L`eSpXfrj;na*plX@yis
zb#{E}=ab;UsIo6ht2^zgYS|gE#hLN-yugEj^^K>E?VsTwuc@2q)y|7AXaVEY`fuM6
zTTQZ>jP6n$7p|PDM{CiV)s`IQEdw)YEw+3Q5JY5EyanL&e~|}L*LAhg?++`oOIaW5
ztA)8s=2~Ggc0c(xHk#)Gtt|=dbWJs&GFojl6a^txGv`E%B68D(AcH2Q*RDsU{L0S<
zDH+OAU`~XiW7hOn7TT_?WjJ&yn!<eDTyDfSJTH2^Xh_KiDB8Vkr{%{>2Q66Z+Gkd5
z^}~chB?OPvsI$_ie5N+gnr%ilbEJ9F^+ZyzdKha!R@Xt*m+0na-{;$3EY2Vr059g^
zqRI^ja@F3f$ITXxL&~e^v^%pSoXV!~^QgH8Bl@e1rqFmc4*7p|+~d(IVkjRaprJ;V
zaxsSfF+WeQAJCZgyn8q5_#C*PaEogWT#PEeHiM#OS_wn4?=T#@1KF%IkMWN`d9J)V
zcUeZOHd@LqB<#gh+;5yHL&mdwzMW8k*>H3Crt9YUq<GpKcp1Ham4beKN3sReW2o0X
z_ii|P8+DViyyRJzBg<EJ8Wr7S-Ak!v8QdjHA!b1*Wi1{)pgq2725%2>i4$25sPXPy
zn@U?w+t^O|Yz0=%DyG=S9g<2w8I^kLlw=2<U0F)ezG64{2d*|Yv52#g(U>AJx^l<g
z&xkZq4ms6^hcZ!Zj6S~Wba~=BRjZ~K4ZDnS?fI}w*3fJ4dl*r1uiFWPot`W<(%LKA
z=B5L}PrtpiRdo`3y~g9RZgrh)^b)80$ail?qB70xUJ@a69q^QdSvZ&NdTJrEa>ab>
z-x#y18d|-us_C(GlpLn5h*k;vn1C)uvnMLJnHeaTp46roJ|&zGKxaz7@lapYR3|2e
zrASyI`2@EtMh`uqaY`9xwJBVFHk3eVhFo8*^D_fEb;A?$0Q3#KI`+_ipbWR{;U~Y0
z;neMCP5sPQwTJ8b!4Yfr;m*(K_6)v>9}noNlh2>y#F2X1cuh54YEkw@y2A`~v|6lY
zS^}UJ_F?tAV^*DLPuhQ&CoGEUv{5W$KWp+&rb2bfh)-y!=qpU8bcxw&Y*G;Q@p4R7
z+FpcBrbdp!%2T#$YtJ#~&2j5iH!GC*Mr|uowOou%r$Q~lrZ>0?xZX)l5VO%<q4com
zdJ#e0q_Xb))dALTRR*>LkoMKUS^RDvem?}2!A5<CGG|UnQXSl(RoTSmPilDW1I}c%
z{IWC3{7WAAH?8~)8uUVJI<@i(HeBLjn%8x2d6aT+3xkgqCI&%<pxt-a`W&JFkRerw
z@sJbX5ha>h#^v4JU}<t<glio4GGt8+pD@XPPvkDg589-gHphfn-+Z8SWTBCun!)f#
z#DBA*O_gsGwL*4r5`8|ZZXjn7pYKdNx<k411Dr1y4AT|=mccpCN8F<P9`VHL#QSZ-
z@OV>g>166OJM3O<E(gl!O{i_#=+1)E)k2;6V;HZ*qsgi10bl<AcM6GR<*iKP1OTWR
z2LeF+J%!j9SlB9?*w|bDo<;ue{NZ!%xGmax;>Rb#dNWK~Ar-GuuEV+_ljN#pAhC*S
z!9^wviVbRvx=;x;2@uJ=RTKMR_B}&9%{|n;<dewJp+7gQh#gg3OiY6`{&bW^J{Owg
z=N&S?`*S;^#m(}pTiCNjkp4y|C%c|>Sh0^`#62QwZ~bX>y>GOXbMN*Yv1<<3EUIP2
zEJwqg)ec|0jhZ`4Ch8yebKN!DcZHkqEVBmrcZF{K!DfwchdB=Wi0|1m5_pIaXz>UC
zmW`X?WT56EA<)id$;rnJg#h;LVPpC!uupo(%$T_ua&s)%`6fv+?b;ZRUykB$kO1+T
z&?)keQ&1QW#ZSmH7ZW$|d#J()kDT@r#5%zSvO600G`+<tJogsn1KdQr%_*$w=m2fE
zwWu5|H{(gtUvwkJvKC&?b+^;ph@XEQ4;usf4(lUj!crPgx2fJsO=jNgUN_qSGd|Y1
z1^e9maHD9g@_!36_CLmNOEnR^Loq)9-?y-LLtH&BX30~*R9fsBo`d!^N}*T2U8Cpg
zFg9ZG^@oUR3jd-N_3d=+n)#Wgt3!jou{rx$WwnhzCxq~Pz;)tyTqmRXIfWKNd3mqv
zo%QLx79MR?39iwAS}mRv_rr2>t^fFsp@94`ycPBhkFuBWE(WZo2Lu9y%ur{Scjq1;
zd$akW0Gk}}ef9mhy;YhhPI5|_lZdRPa{6Mqgyx_ZgnD4R#>n9qJtC}^!B>U%!Wii~
zLwXLs`U|Ncj}QKk;SDFW_O-n%-W5fo*}f&|D#daX=0sc$9hQpe-duG9GshZ=oV~uh
z-`UqHZk3$ymJJtOW3iv7sjkeVbhy_g(RRo1?^vJDx5*FV`kY5U{yBKDBHUs}cq9>a
zF)X6Buy?PaWqh91H&4HwR=;khzJHt7EhmA;*M>!8g{dw{NTOR3CY%O?+fCoEeV4=N
zI<XZxlI$Y^CFu#X)!#2H(0CI6HPqJz*Zr>U1Mxb}FVi6ITFdAj%QD&y_=jY({QDbG
z^7`%!)cT${+58wO%V`b{uaHc!h-il7gd~gW7)S6u8L`x#XurXWV~8w3f@uPh)QM}8
zk1~DpTS3EShOy<VsKe-obu1beM>*@ez!(XqZ$?}YAt@pX`G#jLGYc{E)g1VcNfws4
zgC~v?mht+l$Y*N1tdD^8Q;OAlH?*0v#xns2+Nxx+S;Mcf1@<(TOs@Oqarl}OScA6D
z!{zN{MT)Ji`Ymwr_(N^eW_?g;yU%mso0d!(P^9rgZEy9fD(yzE=j3}Oum5|6`g#w>
z!~dE0nJ9Fc4TDIC|K_|aTsWif*eVapweZ=u_9tHCPh*R$H*oN`l(l>Q6RLGHiU~<k
zhXg#i8lg{bgISzo{Y-aZ%m5e}*TTBixk749w*QEm+pReApx_^lWAG%>7pmB)jJ8`>
zqlbx`rq6ySY#NzK<_sYge#x_X|M=y;P)XrZ`#V_)8+b)-C&QzzZS?3@1q2^H8o_4!
zzY{UkWG7>Z9c87mV@P=q9E@_%n2U8Pv+tkoY5`v#`-AK72B~6w;o2OZW(>KyC_&V3
z_$SEOJD@TOgiI~&#8pvRSEg!K%}=FZea<XHSa8jzeNkLFu?tqr?}$9dGb9WIe_H79
z9Pd=83_h&`d;FK7+vH4dCf?E9zA3!sDY#XNk;M-*<;^Lrv7;WI#z%!m6T#c9IXU8^
z^tGX!d$8s$8UhyZTebWhs^J?}ZQ(;T_13&H7l?nFw`K}#QGj{KSE8gO0&44U&pcJ~
z?S$*p0nR*O^XUrdtTE1rTm(Q474zFF0dvrXc&yCfW>Q(LpT#u0w*Hw5^_W@qnD%j;
zrPo~RFVlc|Rw2!6{o1a=J*ukYx3!|2)nM`4+3?M4t@!U!fqHiR=gM<E6HcpWsi`YC
zYz@!9=9Yj3;@I)pU2Bb<0sZwqV4ht_^IN|fYjBUQzZz{QXIH-(c6{?&zZ!o)J<G7>
zH5ioaSg_rTS-^$<o|Q5H#qwI4i*DgOY6Ye8GIEaa-zWolia|ZjZU*dD{C258Jxai5
zIalES-OE+Nf1?V_NxRDOG*G`~ZAo?w*UU=qXv2;L!)%SUv#KBL;G_)nXiJ*!_G?*-
zd$v=_e`8BI-^Jp;yW^YhRt4Cj1@)-QlD}kFQ&5X-+Eun6YHN7~r@w9f1XHtw4cmze
z&E_Sf4fCi=n*UPFe^Y~d*7GZ2LpksDE3xI9|56FqqXzZp`=3NmfB~#1t&$bXCctCs
z#zM5MQ*leQsogTZ>$_*uaQAv0$YU?c*;fm2j~?pT7cHn~AK3iI7W{uVzeok}mV-HK
zRvX1?<`fuM?C8dgpLt4Mz(3}$f;fP^h!$Oo(*eHcBh7;==EMKah=58y{O^neVe#Wz
z^UZ^=`14Y@VX#nnMw@r&Rz+|T^qBV`{zhU@R0RumRk{i&qC6HO>c?)K(jJYq;w=i>
zu~gpRTc=RexK-Xz;$Egye#vfW&37;nOw|#~h}@Tx)W3V@H{0++0E;S)Ch5i2CDg-X
zi5a?Tt|?SwbMEh6wFNNzLTjb(%+C=c^Y7j?(H}i+6CJ+8_ehpin_NOeW9^_9e?-jl
zLkn@W1X)~A=XXKlpI_NQ6Muyb%ir^-&5(sTA%;sC<i-smKZ`{@Vb}C-T(vbTYylbc
z><w?`+qkwY<S(?me~s1$%owJhY8M|UDyE}%h^qlP^-xW-9T4gOoM^yXAWoy-#oMBt
z5P?@f442T`sRVJ*nm%UrPjA`OEZ_l5V*~$E1oyF7zrYUNJ=YB7pbGVv6`=Y<8sd=<
z<V^Z|L&%%xXAyKi_XR#};2Y8R!pxxd5guwlJIcwGCB4}QXU?_$`n5mfrlr-@b^b{7
z`4=li@s7b5V`t8<TiZqd=a!fn(1WW=y4^5WC%|;m?gCLd-2v_n&9um@!hccjR)9Ha
zTF+m$bY2<AErD|mc#bW?AYCuouxarWv0S=@lG4v{h>esK)6+S|)`FbmRMPK-+c^WK
zoB0%p(CZDeb!wzXX%`V8qz!g!!JcfhY}#VxfUP=jWBOa$B8u*kGeqYolrhYE4H-nt
zCpyJMN=X>#9%1P~PIsvo^diok0nyKSibm=8hMPGz(W7&SiV*w>@u<U^wrJqJW}&fS
zp4aT$SlkS?umE;qpXUscty{2c)2e~{^9zgN|6m#Y!n*k%tiu0bq5lWV_kXa^{s-&J
zlD=$&W*Z|zRBG)#2eH4~D5lw0ZVW5@B*+)ot-5#RKk&5wr=|6umfA1)?*D0_{->q;
zKP{C1X$AeKB^tWI682TfN{@v*I1|=C!zDCxmZ7tQaqgpkKJtr8<o|F*{^APy50~8k
za25WCi~N7M3V(5Rg<-AO&rY_y`}i<p#WvU0zO=B~#xfhNgO}Pqfrak2M30)Q9}rA-
z2$PN+{V60$JG1l_j+vA#jByu6ze6(NDGaeK6yYw!enyVKDHLQkJHdU<&3OP~dM1aS
zW0zh?&9kYcLFzefI&}J=lKw^^eGc64E=Haut*y*{)j#QQYX$wvwpSEk0Le}zVb?b$
zPyBNZ+cSc6V8H~xxADsRXX3$pA}Q#|Rk3?dfr@TtS8RWD{$ScT!V@jmVC>${ktlF}
zEH2N3G&s+|mvxlmPcn!=w%L^uGp#x{hN?b!qxao;DN<O-8!JRX0;VF?&eniUHuh~S
zErDd|bYYAP>=vXN=?bi-*W_?HzHBMTcridE&rsf?P4NScuS8E2)>Pl*P08(P+_Ij8
zJ>A$#5(I@@Zps;78*G+l5$R^ALJVoU0H>LJ?>T6jrSebHmAvVv+NJ&+tDkQU9Z`TE
z5{tDv-vf&LprQQytVvTBVyX9(;v5{A^#C1xJO)`%jhsQCjI$Z`87v<52{0%2P-Dba
z`b-$|R^N!OVNs+M8S9hQ(1&%$OLD7P8-~vjDj#leSN!Q!QP(wn*WDY@J99$5#dLH5
z4<JM$N`k#(!g2;a<g&Hd^{kJx%Y^|kKYG14Gh%Ujl6jWAet$6isckhXZGMfp>iQ%h
zBM!7r@$J|daBgRR(5$q1Kf2rBrNm4zDN8U~NTneXt!Vhe(1FtjF1#oS3-#0)`ftD=
z);6BWvR)Q{UOZyTiHD3*Og;ewdvV}~Xc}|#*L6cV-|P>1|C`g;3C7w^W&vVG?_j^M
zBpCky-d^{FY5Ru*5pKCdCVFWE@wf7!>L{#>Q~C_=WP2&|=(}qz1KBD0@_1?AOUx!M
zBJ2&IT(s}-R>&IIE(}+r^uW7G*l0*%)W7&i!{vjr7AugUHu@?1*=VH6B?nrC%q5$-
z^`qzmOLBt~A7D6)?)w{NaI4gAp_#DjSiJJNjg8#I(f_{5GUr-?z9*WJHhT{fm)PCe
z+i!!`nwX~U;r4kxKat-a&QaQz`1Jca33l*s3ip8{BNtSGSTWpXqqb?Js2VHP?0ISU
zOK%Cd-O7~KAmi8*6QBI$zUu+VLh<9L_3_#BgW2_+A^j2`I~vO{atbT%J^<fR@bH5f
z@J*|Z%4H+*|46aSGF)<{-*QZ2`J2-458UeeUOh0e76&C;yKx^^w-aj?V*%~~d>K>-
z-m4XoW>ffu2^0?77wEQ@sEuQEf!BnR7BJ2`OZ>xj3+34#%Q&hhmnNVO<j_biP0#dd
z{mGS*rdt?Ke^r;ijCy4s+g*P4nS?C<3Nt(Q`Xh~6oe4uA{SIlRmbzDbD*^vC_$+|p
z*ADa)-h7>Kxqj5%OYSck5jgHod(^<RjFiWgv2b5H1WY1nuA;ogwxjX1xNpC!rVgbW
zG7Aj_x{EWVB^r&SGO6JnScFyrD$-s$XJS)_0ZaZ(Tb=hr?5hrjA;IpyJ+vvDSFoVm
zXqlSF6@pIm-H?2dYBd`HV;a1;1cIF#RQd;nE%cgOoLN9KR)oC#9KWnlGEd$o=}Rx@
za18A3D%d=g9?M-q*x?E<8Tw`Shs_Pc-?eIlD#FGBz!~<PT^nT9q*$9P5jJUxEDBKW
zReLyjWIN7y@#VxBA`LK?mQKIN^X_0rPHnHp`woZ)yFlA}IKn_aMYg^}03lDF%to;%
z#a!jl6==TCR}AGT7@(Ak@a=N}7>7SR!Yq6i#|OR(c)2_1;ii{QI1T<Aq_~ChOnsO}
zWGm##$<7_k!X<KebG60ks$1}8yPs9!W*%o}+j!xu2FN%ZuP3%2+;9M2C|W-PqOTrT
zGgXI;-&~_p0KkSI7Ui%yJhVARJj4!<%>XZ%6@Vs*qN?AM{jD_A0~(oTz3PpW(kgmE
z%pXM(!x24X0L59KrH>DwB+x4wx7D6Et^BYGXB-G}6KcE^l8YHO3}O2?rX8*US_aYe
z+Ir3f;)6%fEZ8bhplhB5#^+#`RxeQFo|vbya!E&w&~w5X(3enrf+8Cv99<*Cc!|Mh
zw^3=pb#$5;d4Z%y@NEaB1~*&26~Eu}77<8@$ZN!l|0pwP**Ag}QMoWDe3e`HgQ0U0
zG2rK9X-vUtp5dx;$-1cO;l=xgC2m3Mkm-_`)iCJV+1YB_;PIQV-6hAoa$os`mk>B(
z2;$x0W<u`>4KsaEirL78*%s#{=WOiEPq0c!zpmQC{~dP$TCuS|fUj+P$l6b&%<>(C
za(Bf9qNoP4ww02GFR<pNO6KN-;yNQOPWEoiu}Q3Q&}$Bi_5yGi<SiA-FBnU<lxN<B
zzK8vAXdAJPkm=t@Sr9{(4BkE0l}X5*7}W`$hK4iWDBz;6AQ|4yEndAFw-^6D;6Kcl
zF{AtwZ}zwcIwi;$N6cqG+HGKRrFpalx5P=Q>%4vnxkjGPkG>^9d;633pQ1a^uZ2%V
z(S4xRkyC7{{nP8qfc20)c}w)wL<!X+vFdHKl|(^;2|kXc12I;vbD`Q1n%j$b_F3Xy
zanIxK*uSxN$m*?W!5aOyyO?gz={WxW!hv1rbnEg0r4Jdj7#+l+<45HIOB_y<_WnD!
zLysd-KkQA_=yYd?s|+|e-6HOhyZayU5a_J~TmTGncs#++$5NMo<U#j!dwuQ>AV0m}
zaFc$(8?zx-04d|FcSCS{jJ{JN#O_rCLg~2p!XFqpd!4m%WuVmvQ2oqzH?Hv*nD{9p
zVx(pPca4MD3epGjCH%|O2=0&*U+ME!8hbaC#05#>_r{DM`oOIsXvz0a#RE})IL@+V
zPu@w1+;<Hhm>M?(m+qKU;<G{zlql?&j_^c0pS$7y5&#OuGsRMddIHNB0E5_*Ahq#v
z{TmWUfUX8Y=quHBfr$J2+D%&1I~zUe5M*vFHjZ4s>OM)xVy>3#Psiqfw8Wdr5f(N4
zFH+3Dz+dg~tj6iGG<JKik#x*#q^Jqtf|T5Jzyj0#I=dY+zyZXHi=HXxXm0wFV!T5`
zcyaKd@mix}I0D@JC(T~vz^50DEPcJdRvmf$#mHouUM4LkfH2FUr(u8nM_=|@cp`(V
zVJ6I~Gm5V_LPn>~aTWXopOn)hM5ssxPV%3e%v}oBpP20?>x#!c%=;4{qEraFaNA+(
zILCNUY!Mb!l(Ye>GP_yA1dU-Mm%npluAJM{eioP=wPcu~sTf8YG{Dgrp}zAT+@9-;
ziRis0rf4Jg$A<Khbwg4u$Y9aMsbb2vwh<IWyCB3ZG}$CL66O!cAN$1Q77FuX|8fyD
z%-734;n3-OUpY1Q^N03@tN!4{-&T%hoz;#?0`I2@sNzA62jeNzA2nAy&l#7(U9!{-
z29viwaG>sudWwJGfIR#$&5r0ZEX~SCy>!Dud@aI}G(eP)*X9*{Ov=CK65uxdS19Aq
zqR3BHdHdxfQSv&ylMO2{Ac85N{xgQeTW?n4!|D>$Ht4%ZIJCHb5?IMpgf^VJQmL1g
z<&z>zAhu0a7~};0Or$Wd<;E{16c&Yz1ak2QtBVHu-p3VbU=b!?8c6-%2tDt0gxqHz
zQt!i94i9cHsrv||&fAfk3n_1zMfQx7+-V|0`-S9Nar_*QQnkx7`Wefx3EfoSUfr6~
zjVh`~m(0DB+guY=iVl}X2Zuac>FHt&R4p9577IKZsceZo9;`vKZ?_z|xl?7J(veCT
zS~4ZmPBKUyI#8~S{p?Xm<R9u-^l5o3fAlNySm;!lE`}U+Oc8B#o{XQ43JRSTsjR9o
zrIw8LrRRYGdPGnS8jCuyW<B$63(af`NiU1p$9QW)p$c`Zo{B>i(7kGunhwuF<e_3z
zj7eVcb`kS#b2JCv$Lk^^{0!V!Lh48yltZ_7_nGZT1l078iL;IbcX=eRPohKqN}ycv
z^+%)txeBl>)tH-V<OL0c_=YsjDO1E=@@T<wgn$OkJ7HU})Ud%ScZN#$G1MWg8lsto
z)0Z;$aqNgvD!z%JK=~k|>hUX8Tv9TQm{nAiH|t&efgC<{E)R=rGL=ItOUAtF7}ILB
zQ8G5|g~`K4hA}-VZjl_VKz1$Ca0Q41G)eeUo>L&Z4r#cM<14vBQy_=~2g%5ClpzkU
zJ`p!y)C3qub`OtI#6BL^Dk0Hv?Ksfj1Yggvy~axFYiGvLC(vs~gkONEL4@q@n^=#j
zk70{%InPSuq9EjL7<}94iU8RNSQ}m!+e^gnooC?ngVO?qEATaVbDGD6?{9-`u|di_
zbBl8rLn;v+6Ga=n$j%z!V#(CB8U<2~-PS+HKn6-w0(#0yq-WHaHInn_Kjk1ka<uc5
zV%It1^W^)9WD7i{A`&=Ix0y-AMd^9$aAOX*F(QGV_p5wF{2t=&a_d=4b1=AT=?s*Y
z2)LQ~)U2p$qtGD{dA{Wgm$$p$I2b}dkC#JQSetjdJ!8Aaw7Jr;2YP-c6jOWw0{A(7
z9=N@6ej(_KO%8~)@elWtL>28d{z&m3Y(rueA<Jge^uv&q(2z22_3?`ZogRbOE7IJH
z{O_-9>)3D<m+Dc!NzXa@Jl1$Y>aoVe(~&3wQTy#vm68ly`KD=kOWrok*dOGL(e1t;
zH<Cs=j>cdYGetM3QJ6Y~P{GD?BOr-&VZ(t)n!vRR{c2e=DPPAl-s1s|**^^n_BO)%
zJR4H!6Hyb1bs9*HBJ05pM1epgz*KyxS?!!1_4$mb2R;;eXpkZnp0LeS;m)8h8R=t#
zN5mb&fOH&ga6HioYqlQ<y!;v147#ur>5fk~+b<l^kn~V)2pOXpAZdeY2a$9YkrRH1
z64zT!i#=cIAQC;}H0%uoU$M>vVe#FC|NYs}%7*dU(vs`hnO9`Ss0Y16D4%aK&7xaQ
zMpWxf+-MfbwXorZ<YX>AU&y!czC1kLb=8}-VM5Hs`CotBr9YT!CKx1U$v#7M@SFV*
zu$5q#-`UA2kur*slsyF)8&Mg*FE+FhTb1$Mw4HTl#WCdLx}1e*-{#i$*5SVefhV^1
z$a760xE_!We0;vs1B}>r`Hk7zhB73c)_}haEk_4Ze+yI%w=2y{XxF3@r>ttYd~^$`
z9sa6QOm6o(H19$%j(W;Qa!QLOp~A@!Zz_8{>)k6&#<2&WjVn!YQP3()GD7d6uhgc>
z-nxjk{!q(1weo8UG;C;c2b*Q$%ByVvwy|^N_ik+fjsQxP`^pkX(9dc%0#CjxZUCyd
z@~7b5CNu&6qn?CQXK=KesP^AjSe=1NuhC13`c0R)lThle^mK`+@@g7@=m{XHyRTK#
zQ0X>WCZII`Buqf7!yQvl>2)tR5g(|q|Js@YZ%@8XU(HFirx<Tt!9;9zlEfidR5voF
z%IcVyC~IJf+^DFImZ4UEHa9VvwnuTVtNT-<YHPE!w@?1r$sjOHL3a)j7_gF-Z|=?C
z;~eM(HF(K_zE%<Fp(<AceOiSW)jp!mbOE`l)Zd8#xv)h*ZwYcxL8yfqL^V{_Y@|7B
z)vdn*3$%8lYi}hfZ}p|G;RaEioD80;@&ndjVrNZrVze=(iCFZO6sThf(m|Id%$UPz
zqqZob@?2=64<X6&V0ANAI*!#=xfU;_R5ZEd5qfBvz?-Ni?n3lVvLH^H8WT+sa!{sh
z({rxb07$GR7%PG=Oc|*L1tOnWjKG}=+__5;I1qi-4X@tIxSf&zk^)e|FoEmG=$hUj
z|LcDrNjzIHM>egO-CHa#zuyKV=6$9{bNl{{>`+E`ML<JDHvlXg6<I83SD=5WK8MCZ
zel6j?BHgVY#9gNP<Mwcl;3f0VhZP`~jCZ`Vpzfu&?QR%pxpS8bh-U~BpZ#G1L_ITq
zd|zR3E6=ZvZn;5sw?TK&!Kxru>ln995!VkK<z-yAo8lUNvZt3IM(;-F1{V+XPk0!C
z7w+&AJUlYBcwtM0Q|_lD0Rb1PPn<Ay4qR`zuds=W1+{04s^+4qW{PG<aWcY8cwfar
zq`By)OpK~9(}A63^I~f2V(o&Y*rsHeD7B6S^^Rl>K-_2{YT+Dp8-XV7d$vH{S(h*#
zCe~qAhfu=YGoX(Qyvo%BE@u?U`;8#wEcxO~!1;?gINioBr{FEYofqFnW8SMzybp)?
z=dQK!9xL`8zG%N6pRpq<%;vK#4R=EsiTb(ok5&9N?;dGh_Vp=S7vA-=J(lyQ;%4YW
zK_6-|mT(CeXvr(gMjdHY0lw*6{tZslSRm-123L^VF~At|Oi<=!>IsGb-I40Vf*@Sm
z&&xPW@?}$V{Q~LCun3S;PWd+n4=lWuZIF~aRxZO+A*4$;C|Ief&!Y_^>|0T2vM@FV
zZ~XPnW*eA77IB0!0>R)uDQKs|Ysw!r<?BKC@Pu@RwIyMH6c4J3e#6Yf5WT)Ml%94b
z2^=g!^G0usEV7CxCUlo1l|i#XDmPPRGC_%ZYH1BcW(ESqc6}T>SSGHeHnUUEn!X{x
z1kX9sX$PV4@vG~yeY!%+wA>8!U@0^^(gMEZV<(g2;o>mG{l6Lw2M$Wj-L0}l3j&Mg
ziQd)w?vzW|=|CURT4YIEQ|)Yc!7yw)$B2>CWqIW7{Ld<i$!L9t*qWb>{AY-01u(VU
z*}4VdBc+<Ck;$y2$pJ?|${rnqkYpw0_l_aR(vgbC$D62;%GQ-i|5<gSMnYsk&Djq;
zd=~W<oAdpc6Hs!F^BstFo{hAOH=&(R-6V-7^&H&Py9{jgV@z=~B&H|NhbJ=YNf=5K
z<%QqAmu)vy@B3mm5u6Pxb`H=$OdBfRrjRn}EqtUy-Q$JJR4rT(1*xx|H)zX-h+MW>
zaAj;qW-(5cnkul70#)Jo7?Ux>knwIOX0?#y38QHVdh8rrf~VYLDN7~fH{zFHf+Hng
z%0CAk@Z`yO#c$m|!JHgxz^&Uijx-h_y{c8IR8Oa?UgV>AaZmctv}m(Y&w&y+CNJyU
zWX2{;!XX|*D8wTCzs*EjAr9dr;{O_=@{<4W`|pJaN4arC#cKdWE?!}{IBDHjNAR%q
z2E?r`-kMc&MQZ5cX@Q1%1>-6ltdx5ZGR<<t*d80($Pt+o#kOIhYlxK0hWfIyv`hzR
zJ}SZ-Se=)q_iAICyp&H6tvs6Hy6k0&_u~z3U8KS@L_Ye7n;I0|@iUM;4-}gSL;T0Z
zyzpS_?2@obgdc!L5xv(tDUwVGBLK$y?qR^GPYLTk;hTb@%ugW<9=A4q%x-cP(*mq-
z?y1bd%`!6+Z+Jyu-iht@hCjes=+=r}e%fJUr%$_67d(kbLCubf+_u^`xH>l*^<m!b
zPl!-RIQ?}p?$Zp=egjT{7MfWlBOZ4LCST3$8FW}p_;iuH4&0*nZ{#lulNk3tj{Kdn
zY-(>yV;4Pi^c;fxoOuB0l#B9t+_9&8<FkAc{rG-a!i^tR`8vYm?ltTzHc_hdHNIUt
zO<<e#3}=>Cwsj@2&Q*2iqR1~#0!!xqa5wo&bPEfRNq>U&qZxdr#dbsWkkd;*rTC{h
z$sz%>sz#O+x=EMLo;-KJzTO780#?PJ(ehADHHgP|e?poOX1P~J{nzGr?OaId-gjD$
zWZD+4rF7480(RrOrKS&%bHEV-8O!&82eON<`@91ieQ)UvK=L+{AdApkbaWXa+5X<d
zFWrl+c{TVSj*8Xi@C7oNM<aryTeB|ZTc`Llh9GeYzLTYN-fwo1J(pJ8VOsIZWJj3W
z?%t@A{avC^DG3o9^%j&KgKczEvf$P5EaW5l?0Ezpg6@sq$#92={tLa+IuT|BFMCL*
zw?z2fU(Eh>rncqW>`idAT$Zz#Sjy$V^X_?Ra7o{d{>K2U)nVht;B286$+`%&mS#hx
zm5+RSJ^YynGZNBFm49z3d-5E11Rc9yj7*jmzi(63UdqaiiN-%Rm0!dRg;ZXKjg7@O
zuFB1S##;lq*b!2JSnAY3T{s<qg$gb8y~~O#9OuTLC(D~3--JW<F^m!8nVz-}@v&5N
zhCFOgSz{ujxVm#;>qNnmd!lE4@&;5mb<%G$K2I2Vd@xD&nLC32B;V5t<itiAgcZfy
zK-dYX!Gn2%o7^1*Wz{Ug<ss$iY(Va@_y{-?6B&abi|y?4kJ<dP=QI*ggQL?JSs#nn
z?Wznb0Cub~a#!<MEKj4%5agfB2HaO~m$!=>o>UJe&oaLP?A@_?T-qToifrT%FI&l=
zd(4@W-Dv-)Czp#|zY9;a8tElKXb)MbK_{#fb-0QgLyqKI#av{lGUfz{VUN+HI*8cy
z#)^JIRNb}RA<hj`qB!SR8_noG(nxU+@TvB>%TwzIjz0<zf^OuLOYW1}Bh1{bpyT?C
zj20vfum<RhHB*FiKnzI`MQkXLx1w^;dU6QL9D1Cv`CM84?;Ug_Xg*&}Y?L8rw6Dc;
zB`(C}9mo)dq!FZ!j$t)Sd1!ANcdtQT)%3%};^xH0J#tBew3L|gB+mt}g<<ytq*7*J
zuY^3@s*Fs-_0qP<%ud?v3X9GVLk_kyUd%*n;yjo5q+1-3CqCi2i2KV^svV%wYc)fT
zUn?~u#xaAMsOuoKgl1?4hmm^9oDRGZB=x4EK+x1MR1*3#U}?*V2Y3=My$mw+P*aqv
zAVr1-6_-~SB4Ud$4e?pzG4&a^n_$6#?ou@2ZAbLC{v2e4%)}o5vK=1HjSwgjEkoLh
z#0mT(8SFusM&+`mhB5L_`)o|uV=h4VcyFEZ#sT;a!qlmZR+&VJDPEEHt~d{=r<QA=
zM15>nr*KLK%~f3QHVito-$~z*6Ud+UI^ePsj~>~ozlNfX6T6|#n1K!uPpQig-8d(k
zbzFhICFzO?Gc@}?aI@@Xi^i!xiUTG^6bRWjk(iD%2NXnfOUMZfC@hGz!JsSB#2W6d
z!<*7k_|IIV%6$JOuoDt#P6W&N@B01Z{eT9G^St%_VCRyMm>&4V6-!kVe8NT;K~zSm
zXhHqfPd#jZu#vdpfB%c`6?-NTkE8_}au<tk|0Y8aOK`P%HUEi$o{!2O74nsEX5}RH
zLoC`G(5tPhdl_eXec9wA`04wM6M6^ta0<>8qxjaPM6C41$jj-^b3zauz6z7{m;Rs~
zS`MBL<kX_$%eLWZRt3yU1>r^gqB^2Co)tXMf&doKWxBCD3O}KMI#e^C;syvogTY;=
zDPo0Xj~HZ-MKXBM#K<fNk$EE@ir|8IuxcVJYL78G>G~m(9ZP_ywkqXij|GMzQLtNJ
z999rdj1N8{FD7J(q<h|&NyglFoHUXiVxgVNRKPMxjJ155!Z#QqK+H9@e`nbTzkYcR
z_Jwtnbn4s_b{l?oJFHVE>{v?F52{mezB>nnMH`5P9OCZr2Dp@s^TR@_eY!)YMl*|`
z`!j`p_LMAK6he%ee5lW7lNfi=Cz^a0vh>9XMf%~t|MQINYX{O+mO;VXnb8Y&Y%)&e
zhpSt55JK9AgMOMO5q2@T+G@HPXDOf-QD0&2U{(B05v6$85|!kqJawT!DH1OEeW#q{
z7oNyU{@iALFO8Nz)$I0sEyzulq_;yY0ZZDKOWf1tNcmeeYc3q$``25>TPgTxF(R^v
zavi*bL0H<!2bd%4ByKKbl*m1^4@8JG3bLx2Ktp;%B0&b7n4JPGR)Ka77kO2ez)O0i
zl0~+y?3pESpe~gN{ci;w((1FwV8+ei-@zU?+rh5xXh_12y!NfA&o6IYd2t}CDqh9$
zegDj%#Mipl6+y>P(*guq<=<??T!{$TQ_qR!Oz^60u)}6*T&MMXd6zDXi48LKh)2-h
zbQ@|Z(MkckVB<f|i=cAYMt^e`bplFy@F*v7p&3A%rn!Eg`w}6=W#lK-O-mm*qFcHy
z{_@WAG5N|hZ)M<FHX*pE#obH(k{mcMS$6kb`4-fC<P|TWQ&pZmhpZaU$On)fV#41~
zW&tJsmw>Gwl@$~Hr`DMR2rMEGN$^?kT%~GvrG}6Mu+G8dBH?0<toSa}9A%kX_P0(=
zUSynIxF$rcx702yDf})GrY^xkfa<GAnv>C>K)Y04m+5_$lr{w#3OeM{28%i2ugKvn
z4>EHXdi=VI66<cyn$lmjKn19*!IK)JA+&^6*Okk&Aj=qoPPaX*Cd`JV)u7pM5(?@H
zsyf*$fPFYH`h!lUISQhcq_f5N`rY`ZQjYk`UV(|3fW#3qlny96Xz#j3OghV~7-23V
z!g1JU2@b;%(aqbV8HkKGIxJ}G=#KrBW+qkiBqT$*NM{z9Se0Vg-9Sc8s-mJv_HG7Z
zMO4;!7Lti}ei_iB?NAa7ZCozJoPR8sYfg>i=aae3R9=f5kJ8rSdsw_+*P#<)T+WhR
z)_RkA4WFNvQXL$TFPF&8bUOSOrhk!@VuPe(?TkbEP4oW3aqK2o0i}F-u9n#^4c7?Q
z*e&9qUTdJ(XeMY#%2O>lrq`n6<Q9I#GU`$urre5Q)+OIb&c`t7l4>fAR;^&vJ;MHe
zMq<<i_bYl=sjN(4N2xW`Cf!S-f19WFQEH!+(JIUL3CGpy%X}-%rp6U3$Hr6R8B0p5
z)yis(N91zq7qc;A!e&>0w~g49O+YSH+t`Dh_uwmar+Y~JFPd0yRJPM~Q3JInX*Ijz
zD;kTA%)bDl|8`#MPsRU;HIPz&E&Qc6j@}6}&C+=%`6*BEgAM=eurRbvn5Jy_im-Of
z^r7==L%^JX{iwVS*QFqtg$FE2OvBOfBzu!h@a0N=wROz%VLr#l>3e-3{Di(>D9xK^
zT~d3;DP4lbNSc5}z|bVZ1opwf5!O>%j2+rWHb{#I@Fqk5^6|MsNe9Ve&qzd;A=Tq9
zsX#wn?hb$>QeIeQ%RAf;8U8{x00VooOpa#c8GlkI%CcENC!mx%(z4!gO6ae(PS~Gg
z&3H<tWqf#V0p<*5Ft8v~HA}RH6W)7kRI6G2qfSj+S`3p?A(~fO(AWYfWMbtYR3gt=
zYgZ7@(gY?{QcZ1At{f_9Qtqw&JGK%!DY<#(=sJ0sZna6-v|`2hi@D62n(MgoGTH7l
zsXtfd_N8B_LBws~&lcqtmwwswj6%0oUVV<^q(F=)%8CJ5-9GSrL`rx%!^H;Go+Ng5
znVorbW~D_Pj9?Ksr$~;7w9SS%r{+Jo=Ja(4wHeFN6D><^>9RUlY+ga3Esk-JYnM{U
zCcHV*cdA@J!|?puq_vFn-sA{Hkta$iEXCC3atRX&tq9T>Jb;uLb0FRpxFD<>QH>Q=
zOBE}-{>oL|?Mkxb<9}64ji#&mDoHLS)s~Z$rPY>kRw`C?o0X~>cAB$|skm-3Q<|-w
zGN#YjG*-AK8d^mrGkw7fdanb2wAMMf^bMwd!?McD3!$~o2$_kzL8y2Ws5%-(VCgn&
z(rRiz?Aj^<>7&&j4T?=|-qZPJvFa>haF{eLvvw8VxGW?~nXx5h?SjtAhB@rG8q(01
z^G`EXzNp^`IRNWfRo1v=wH&yx?hjnk*bXF5M!l%I{?FNgUuS9DCj-l9+~cf%$HxQJ
z3gc+aW~XEeOF8JYddSSYWKX(l8Bc2_vtQu$mZYP*th+9*{jdJ8iQS?31h#gawE}0x
z&ho?co}%L;IISQgg{6XW@4EW;Bz0ZXJDGXa3jG%9MS^FA9MkG7imFjV>MU1Kyl8(m
zQW$J+@-8WxQkj%`J_=AXtsG`mC`)pfB>c1OCtA_jCL&Gt|5sJ`pO*=Vzg{X%68$!D
zRtf)VH;G6WX;YinOv2Qcc9Uy#lk9lNy_DoOvQ$m%Ja1&JANJ9=axOnfA$oA>xsFdL
zb}QuOFHu6HXDIR)bi&Uv0}O7MR@f{w4t&J26pZyJQxwwBDYTO7;~Pb4HqcxQK1#jB
zSl=fv<zr0sFtY~nO{_fyM@x6XqGftUVq^q6%6d~N|H~I-zxiUlI9g_M{jvRbyfQ`x
zRCCOcwd_*dYBT#cUo_U88aw@?&RVLpmQ8c=GtFw{dYR+z?+r4zY}}~m12!$&#u>?a
zg3QYKgjg~Uw}btAga>6C1F*r1rIa*neDAOS%6k3*N9-0{I(mdxyygj3>Ha_vbdxKy
zS&p<5mZfG~iiE0^N@Y@kgr@jkH_4}zTIp;xsn~)grQ!#iTKRpDN>xy<tS6H4yYZw_
zem7pl{|r5~f5%r+D-EBFIE++W>sew{HvX}2tUEEP!X`IZK8;r1*bp?Ev42B&by?SA
zUHT7D{Z4qO4<1+*A^<ih&IY2E-a1W+<#mF!l5t(3eN!q%`JzcmiljzGa7glh-Thp0
z3e`?#qhigdB+I&gie-I!iX;X8ikh6sO!a^y>BX<j{|xcgBw5spQY1@bXv``nW7|tB
zsD9TSwwG*arK!+HrK(9)CsE|upRCeF{R8Xkj*Zg$Bow;^a_ekPH*$J|`{ZE>AJ=U!
z^5|5-qg`#_R?fg5LP3<d90GhVkclU2Rp%~(sAtObPb^xMX0rs1$R2rC3X`B;UjKE!
zyjaVBd4aWHVWS{2ui6G%Ml#l^Gz&(M7QDZgHRrIb7Zm$Y3MDfNQwl8~Vih)KIeADW
zE03wqekWs_%K$6a`s#o^FH6g}IfZR+-RB7xOl0IIgIcPfmD|DM1G^2O*OSl`EW<PG
z7r+kx2s;zz#?ewi*4gJ-hfqoeQ|`47t&*~G=ZEwokRqsN!4f2Eiyuef*FM3L4#ngT
zcFst=PGTgr>Mb_{hvb8@&L~hPQvzZbrD1v{QnZ3H)3CvmOmm*0GLBvc?Dq1|u;7XW
z#k8i6$C6OAm=-B|`=1H6bk&Mt8&Xf0kysw&Fk~z>MpwMzY?y;MW1g&{83<DSxNB^Q
zvG>mx%Coj7F0Vkl;$ag^zME;(rhxV2gXOS~;T=Ia-{SyKTH(Gsy@Sj!Z2(<yuytlm
zIyL&zFr}T%N(`>Z=Tv2vcY~I2P|s*s%wjKPSJ?+tAJ7;8K~EYVcQ)xqH(YDga;{bA
zCi(G@k7%exK2)NdI;~;KSTp5Qj(zQ{WIpMvWj>V^vV?`3q<KNQ{H0aMkf8c8Zw^s&
zGm*S1owRl&ieE9bs&YOq*DIl}lTce-tD`>Eurkr%aHF}~WGOM$V5(Y6G2x-q(Kw%!
zRP)u=(a>wCrAZr3RZ4C;tgfIit6DSGos&?or4;cniDZ0~?zPEZ{D7mLtkF?R){+xd
zI0-j_I(?>?Oyjo1|L?Iuc0XiAPB{S<65ls3U%PL^H-)o{%%!!(*M)TsfV!%wV<>2?
zmU4VDQ=^BI`a+_jNis*}-{oOtQ;kYhlcI+OhYKs$Z00}f--Lhil)b#ss%WO>`g5K2
zTW!DY>Z+b(bJIz-<x7=G<Buvsq1h%HA>-jC_xt0RMP<mBbjA9V6x&uTr)$x1&{*^_
zVUWBO<*-AaB%yAS;I?j`VD@QI3hKc&=CIWoO33ei(j`oNDn>CZL7)zKbwE9Mjzl#q
zSZ~SxlZ|UAqr?8Yo%TFsJMG2J2dTR(_lGuK`e_?lF0dTT)>sZ^l@`MNo*TkMQJS|(
zG0mKHQQ9F`)8(1Ik!ern1aODYS`%ykO3jftkxYSl(s4iXk8r(C@p`!XT>Zb#9aG`}
z+XWuOn?BHyxYmT66n?xpK%zeajxPh3@Nf&agd6sST=NhT3DKQ7R3E`8wx!m{n*i_%
zv!~X5l54t2wL2PpwK=ErDK1yr=c86@$&LTTv-TU0vrUN=wa$lw%hhb8%ave&Ek_O)
z*K#JO+b`1Zr)=lz+QkmFQm3p?rwQlbot3t(u39^{yvW`!IPhY>BVcO<@e7-U_9i{N
zJ&ajk&UN@P=~k@E<FDTml!Y5Uz1ux_Cq0t2N}a#+V8<QX1vwOt!H-sO0FGk*NdTdX
z4Trudu{~tCU0uGoTyrVZ7wa9!F~1Y8Gxa;+v9uQw=j)PVs+`Y<|JHX<FV;x~w;eTI
zfAeU|rS(%L&LxM%22Y7eo#GT6j9vFqMUQ7!t;tJnaq5giRr94F?FVL9j1vF_t(L_G
z_FALY#aiQoc1L4s4%dSFRpxz5b;gR-Mq_SrYE83si3wkA>W)@fY7Y8A>QZA<P)&u&
z?_xgEpOcunrl$2$(R`kZWgw1<pd}-^uC3hJb5ZH~QC7afXd2h|oM}DVaPX}63;6wG
zDH9^U?MJK>tNg9K{jAtH>+b%8QsC)^i{k$F@8U-4CL?X{^Ce}UqobxC=x7T4jrIG#
z#f?OBAwfAH38^Z1dq_3#g-Sgja<JlvW$#+d!t(bw*2@bHi+<n|z&crAGNmj8*mSbz
z4INnb`U|Yvzvt%tgr**>l{E|gQch7m5Nug<DgRF$R~nTB7KK$(R6@xu!6o+@%0b*R
zl`JL81Y5LF)KJ3((y1&nmzfeZ8bU243(F<3G|gSHXmdr)1<}MNolKKsWR?=-l9)r&
zkC`)b=Dr{Id*|JA@6UVBJNNs9C#?pMd0T@FI_;;$Im?s{eYtvui}xBQ9LcR|pQBq7
z3-NdmufXYXyw9@#NZ$-Q6u;jagbS=4O5NlSGOi2;U84u|l3QP9j|`{Ehedghy{+tI
z;0-3^!em>d8S-xmDrAD>;##@Btd7fhwU6B1zx!!td_}v?qizLmHb9@VA@#nyJtF=~
zz1_QwqWxv0HNe)w5}aWTm}s&rAVx-29uhtXxnowd*VF2kbFW<LQy4g0j^r(*hT!LR
zt*If&5kHzc#K<kIlnT29jE0-1$(|h6JUgG4Z*a!vj<bI=!YQa>)UYCfPU@#uJh5Ay
zM}V8IZuV~}xo3`Be`okyp5_ltny18`4@rGv2wVJ*C})od86t7l8Uzb(UWr_oG1xI5
z93`7E@|w13cAh+6d}3ZI(ADiO>jc1#N;4_Px1(I1WCi4jp;!I*ZA+?cMziPTJ+N!x
zSBSKFkucZ{S&`h-p3*gIRPkhbDO2dFL1TMNbuaT{Qo)<dMXJfOj)fj`CWy3!i6x4y
zBGtw1>-0M6V*j&Q0UO|#601&)vODE_2HM$Lj=2cY$h|a~7-%-j|5;(Xk`CGZtn~HT
z=QVE^nsiLtOs}mX?D)gl0*>n<TVV!9iB#O|GjumnMGqQqNa@I+mdMQ79f;ZH9ov=S
z$-fvnx6eTmrkXO9GfA6+@)dP;Xzj7;m<%R%e^BJXyGV>lT%meb{?m`?vhzoqy;CfO
zNoSiVyzxSA?O>=z?X7eL)zXhGsFaTT33leI>FX}s(F|ffAiAXjO^lPKvIe0@I*?U*
zE2KS>KJCT@SvRK54MOYEZrw+a;QTKynZNJm8}O?P9W1?UzwHyo;R1tpPN<O)zha9H
ztYFqHX}h`icbNAxwR{<1v{!P5hc`FwGt$A<Ql*K6+F1_rD3@IE-C&A-Q>5?;RKBKi
z87z_S)-!sMVXLJeSe)e$dPmsOUgV9U>Zcea%#^Z(b6OflLmzY3xoW6E22N?H+Z(Y$
zV?<v^ww|CE#QxUu3x$o>=V>tlf1+v*_7wDY-4&obP6`_@zY*tr(Ep<?^7DyT%N-uo
z_QkSnP3UN7{CYdAs4EuG5#bhNR8j<2eBI_cqyYzLOZTQq%frT%Dj>^mdK^Nv!hNnd
z0;@6$@Qo@ytilOQ>3e@=oA^df(FJ4+?&c`*XuaanP(MJXb~~)cG|ODiK+6*BzoRbe
z%fVfoMU~oH!@ZHRoD{O?VUcA`yE1yybPI(M0gElpsM>sZvvK`w3(G<kuF$}<%|hAS
zp8Ztx$sQ>PkAnnO!;iV4KKw{~c@iY#E2*Io9#nL<p7loKdm|2cSV`t~BlFkx+7{xB
zm8m*#P`IkeLV~Lf<*K-TE!s3<e<@YdcT_C~_abWUI7_>`*&t-DIC)I{cySsbYQa^O
zNT=yTS63@;XqX6W!bgCK;Nk^BC41ws_iVQGHtUDs9!#USCorMjyl&(OdaSx6;yUTY
z8TO0~9M0UvsU=SP;FGaoCBi>klh0<0^C7DmcMpGjqFTI@8PTytV&&)@P!-OVcoB7z
zv@FzvD`*GOdh-H$`bwg2(4Nj>r5B>wc%?3W%t08vO6lGshvjzr243x4VgXmhc!ZE7
z%2wFTlfb5&61MyH2b0vF=`}^e*b_F)&NrfvcMgG=eI;z8=a6wKo(TK!fk~ZbWy79}
zV!9mCIl<A`l1K74tKM?k%<*_EdWl2KBunoTVQmQl*mHe(P{-E}m$xCrNt#ZQXY>kT
zrVlN=^m`V0*riMPd4SANUf@{4R4Uo}TvkmSjLj40j74mU{R@DSjlYA8?#tUU1K%d>
z?J3`rzq{)6W8tI8@4#YyWkcD)IYXP%TnWwMtJcNzjF<t<ar=v(l<7OIK1!|BE(wC*
z43a2!fcenueS~z@kEN$+rOOmpU*F~SHqCmG0B}bEfgRk_XFv?;U~BZ^3=)0w333=r
z7L`q0TaQJJ)z~!<4hJ70KX87RH*|EM0N9Y&!YXS1@=34;Jb+PD(gFOxnvR^x`Vadb
lZJmE7`8OH%?+jGAP|ts;u?H~9D&Ins<R@M3v3tJV{sf=8d9VNg

diff --git a/Solutions/Claroty/Package/createUiDefinition.json b/Solutions/Claroty/Package/createUiDefinition.json
index 30a4e098be1..ee180bf4dbc 100644
--- a/Solutions/Claroty/Package/createUiDefinition.json
+++ b/Solutions/Claroty/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of  [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\n\r\n1. **Claroty via AMA** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Claroty via Legacy Agent** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Claroty via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Claroty/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of  [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\n\r\n1. **Claroty via AMA** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Claroty via Legacy Agent** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Claroty via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,14 +60,14 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Solution installs the data connector for Claroty. You can get Claroty CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This solution installs the data connector for ingesting Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
             "name": "dataconnectors-parser-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
+              "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the ClarotyEvent Kusto Function alias."
             }
           },
           {
@@ -79,14 +79,8 @@
                 "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
               }
             }
-          },
-          {
-            "name": "dataconnectors2-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for Claroty. You can get Claroty CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
           }
+
         ]
       },
       {
@@ -102,7 +96,7 @@
             "name": "workbooks-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+              "text": "The workbook installed with the Claroty help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
             }
           },
           {
@@ -330,7 +324,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for baseline deviation events. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
+                  "text": "Query searches for baseline deviation events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -344,7 +338,7 @@
                 "name": "huntingquery2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for conflicting assets. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
+                  "text": "Query searches for conflicting assets. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -358,7 +352,7 @@
                 "name": "huntingquery3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for critical severity events. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
+                  "text": "Query searches for critical severity events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -372,7 +366,7 @@
                 "name": "huntingquery4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for PLC login security alerts. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
+                  "text": "Query searches for PLC login security alerts. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -386,7 +380,7 @@
                 "name": "huntingquery5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for login failure events. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
+                  "text": "Query searches for login failure events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -400,7 +394,7 @@
                 "name": "huntingquery6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for sources of network scans. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
+                  "text": "Query searches for sources of network scans. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -414,7 +408,7 @@
                 "name": "huntingquery7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for targets of network scans. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
+                  "text": "Query searches for targets of network scans. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -428,7 +422,7 @@
                 "name": "huntingquery8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for unapproved access events. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
+                  "text": "Query searches for unapproved access events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -442,7 +436,7 @@
                 "name": "huntingquery9-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for alerts with unresolved status. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
+                  "text": "Query searches for alerts with unresolved status. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
                 }
               }
             ]
@@ -456,7 +450,7 @@
                 "name": "huntingquery10-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Query searches for operations with Write and Execute accesses. This hunting query depends on Claroty ClarotyAma data connector (ClarotyEvent ClarotyEvent Parser or Table)"
+                  "text": "Query searches for operations with Write and Execute accesses. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
                 }
               }
             ]
diff --git a/Solutions/Claroty/Package/mainTemplate.json b/Solutions/Claroty/Package/mainTemplate.json
index 1f0d1d69e0c..b766e9683f6 100644
--- a/Solutions/Claroty/Package/mainTemplate.json
+++ b/Solutions/Claroty/Package/mainTemplate.json
@@ -644,13 +644,13 @@
                             "instructionSteps": [
                               {
                                 "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
-                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
-                                "instructions": []
+                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+                                
                               },
                               {
                                 "title": "Step B. Configure Claroty to send logs using CEF",
-                                "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
-                                "instructions": []
+                                "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**."
+                                
                               },
                               {
                                 "title": "Step C. Validate connection",
@@ -834,13 +834,13 @@
                     "instructionSteps": [
                       {
                         "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
-                        "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
-                        "instructions": []
+                        "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+                       
                       },
                       {
                         "title": "Step B. Configure Claroty to send logs using CEF",
-                        "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
-                        "instructions": []
+                        "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**."
+                       
                       },
                       {
                         "title": "Step C. Validate connection",
diff --git a/Solutions/Claroty/ReleaseNotes.md b/Solutions/Claroty/ReleaseNotes.md
index fe42770159c..6c976c5c573 100644
--- a/Solutions/Claroty/ReleaseNotes.md
+++ b/Solutions/Claroty/ReleaseNotes.md
@@ -1,3 +1,4 @@
-| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                  |
-|-------------|--------------------------------|-------------------------------------|
-| 3.0.0       | 27-07-2023                     | Corrected the links in the solution.| 
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                             |
+|-------------|--------------------------------|------------------------------------------------|
+| 3.0.1       | 11-09-2023                     | Addition of new Claroty AMA **Data Connector** |
+| 3.0.0       | 27-07-2023                     | Corrected the links in the solution.           |