From 4401000791b517ea865324b37e104504e0bed4f6 Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Fri, 22 Sep 2023 10:19:26 +0530
Subject: [PATCH 1/5] Repackaging - CyberArk Enterprise Password Vault (EPV)
 Events (MMA to AMA Migration)

---
 .../CyberArk Data Connector.json              |   2 +-
 .../Data Connectors/template_CyberArkAMA.json | 124 ++++++++++++++++++
 .../Data/Solution_CyberArkEPVEvents.json      |   7 +-
 .../ReleaseNotes.md                           |   5 +
 .../WorkbookMetadata/WorkbooksMetadata.json   |   6 +-
 5 files changed, 138 insertions(+), 6 deletions(-)
 create mode 100644 Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/template_CyberArkAMA.json
 create mode 100644 Solutions/CyberArk Enterprise Password Vault (EPV) Events/ReleaseNotes.md

diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/CyberArk Data Connector.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/CyberArk Data Connector.json
index cd979f541d4..1abb2407a51 100644
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/CyberArk Data Connector.json	
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/CyberArk Data Connector.json	
@@ -1,6 +1,6 @@
 {
 	"id": "CyberArk",
-	"title": "CyberArk Enterprise Password Vault (EPV) Events",
+	"title": "[Deprecated] CyberArk Enterprise Password Vault (EPV) Events via Legacy Agent ",
 	"publisher": "Cyber-Ark",
 	"descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault.  The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
 	"graphQueries": [{
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/template_CyberArkAMA.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/template_CyberArkAMA.json
new file mode 100644
index 00000000000..6121fea3ad4
--- /dev/null
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data Connectors/template_CyberArkAMA.json	
@@ -0,0 +1,124 @@
+{
+	"id": "CyberArkAma",
+	"title": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA ",
+	"publisher": "Cyber-Ark",
+	"descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault.  The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
+	"graphQueries": [{
+		"metricName": "Total data received",
+		"legend": "CyberArk",
+		"baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+	}],
+	"sampleQueries": [{
+		"description": "CyberArk Alerts",
+		"query": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| where LogSeverity == \"7\" or LogSeverity == \"10\"\n| sort by TimeGenerated desc"
+	}],
+	"dataTypes": [{
+		"name": "CommonSecurityLog (CyberArk)",
+		"lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+	}],
+	"connectivityCriterias": [{
+		"type": "IsConnectedQuery",
+		"value": [
+			"CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+		]
+	}],
+	"availability": {
+		"status": 1,
+		"isPreview": false
+	},
+	"permissions": {
+		"resourceProvider": [
+			{
+			"provider": "Microsoft.OperationalInsights/workspaces",
+			"permissionsDisplayText": "read and write permissions are required.",
+			"providerDisplayName": "Workspace",
+			"scope": "Workspace",
+			"requiredPermissions": {
+				"read": true,
+				"write": true,
+				"delete": true
+				}
+			},
+			{
+				"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+				"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+				"providerDisplayName": "Keys",
+				"scope": "Workspace",
+				"requiredPermissions": {
+					"action": true
+				}
+			}
+		],
+		"customs": [
+      {
+        "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+      },
+      {
+        "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+      }	  
+    ]
+	},
+	"instructionSteps": [
+	{
+		"title": "", 
+        "description":"",
+			 "instructions": [
+			       {
+                    "parameters": {
+                        "title": "1. Kindly follow the steps to configure the data connector",
+                        "instructionSteps": [
+                            {
+                                "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+                                "instructions": [
+                                ]
+                            },
+                            {
+                                "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+                                "description": "On the EPV configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address.",
+                                "instructions": [
+                                ]
+                            },
+							{
+								"title": "Step C. Validate connection",
+								"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+								"instructions": [
+									{
+										"parameters": {
+										"label": "Run the following command to validate your connectivity:",
+										"value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+										},
+										"type": "CopyableLabel"
+									}
+								]
+							}							
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+			
+	},
+		
+	{
+			"title": "2. Secure your machine ",
+			"description": "Make sure to configure the machines security according to your organizations security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
+	}
+	],
+	"metadata": {
+        "id": "1c45e738-21dd-4fcd-9449-e2c9478e9552",
+        "version": "1.0.0",
+        "kind": "dataConnector",
+        "source": {
+            "kind": "community"
+        },
+        "author": {
+            "name": "Cyberark"
+        },
+        "support": {
+            "name": "Cyberark",
+            "link": "https://www.cyberark.com/customer-support/",
+            "tier": "developer"
+        }
+    }
+}
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json
index 495f30829c4..50df6870d29 100644
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json	
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json	
@@ -2,15 +2,16 @@
   "Name": "CyberArk Enterprise Password Vault (EPV) Events",
   "Author": "Cyberark",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CyberArk_Logo.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n1. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)",
+  "Description": "[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\r\n1. **CyberArk Enterprise Password Vault  via AMA** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **CyberArk Enterprise Password Vault  via Legacy Agent** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of CyberArk Enterprise Password Vault  via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
   "Data Connectors": [
-    "Data Connectors/CyberArk Data Connector.json"
+    "Data Connectors/CyberArk Data Connector.json",
+	"Data Connectors/template_CyberArkAMA.json"
   ],
   "Workbooks": [
     "Workbooks/CyberArkEPV.json"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CyberArk Enterprise Password Vault (EPV) Events",
-  "Version": "2.0.2",
+  "Version": "3.0.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1Pconnector": false
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/ReleaseNotes.md b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/ReleaseNotes.md
new file mode 100644
index 00000000000..8307f60b7cf
--- /dev/null
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/ReleaseNotes.md	
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                                         |
+|-------------|--------------------------------|--------------------------------------------------------------------------------------------|
+| 3.0.0       | 21-09-2023                     |	Addition of new CyberArk Enterprise Password Vault (EPV) Events AMA **Data Connector**  |                    | 	                                                            |  
+         
+                                                                                                                 
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index 8aad7a5b0af..aef81a2dfff 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -1544,7 +1544,8 @@
             "CommonSecurityLog"
         ],
         "dataConnectorsDependencies": [
-            "CyberArk"
+            "CyberArk",
+			"CyberArkAma"
         ],
         "previewImagesFileNames": [
             "CyberArkActivitiesWhite.PNG",
@@ -5023,7 +5024,8 @@
             "CyberArkEPM_CL"
         ],
         "dataConnectorsDependencies": [
-            "CyberArkEPM"
+            "CyberArkEPM",
+			""
         ],
         "previewImagesFileNames": [
             "CyberArkEPMBlack.png",

From 6b8c3167551b113fdfe1f56a15e1141a11c2a480 Mon Sep 17 00:00:00 2001
From: Github Bot <noreply@github.com>
Date: Fri, 22 Sep 2023 05:00:14 +0000
Subject: [PATCH 2/5] [skip ci] Github Bot Added package to Pull Request!

---
 .../Data/system_generated_metadata.json       | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json

diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..d66173db840
--- /dev/null
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json	
@@ -0,0 +1,30 @@
+{
+  "Name": "CyberArk Enterprise Password Vault (EPV) Events",
+  "Author": "Cyberark",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CyberArk_Logo.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\r\n1. **CyberArk Enterprise Password Vault  via AMA** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **CyberArk Enterprise Password Vault  via Legacy Agent** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of CyberArk Enterprise Password Vault  via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CyberArk Enterprise Password Vault (EPV) Events",
+  "Version": "3.0.0",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1Pconnector": false,
+  "publisherId": "cyberark",
+  "offerId": "cyberark_epv_events_mss",
+  "providers": [
+    "Cyberark"
+  ],
+  "categories": {
+    "domains": [
+      "Identity"
+    ],
+    "verticals": []
+  },
+  "firstPublishDate": "2022-05-02",
+  "support": {
+    "name": "Cyberark",
+    "tier": "Partner",
+    "link": "https://www.cyberark.com/services-support/technical-support/"
+  },
+  "Data Connectors": "[\n  \"Data Connectors/CyberArk Data Connector.json\",\n  \"Data Connectors/template_CyberArkAMA.json\"\n]",
+  "Workbooks": "[\n  \"Workbooks/CyberArkEPV.json\"\n]"
+}

From aeccd074745eef3e9c568912f01932ba41b79b93 Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Fri, 22 Sep 2023 11:01:18 +0530
Subject: [PATCH 3/5] update data file

---
 .../Data/Solution_CyberArkEPVEvents.json      |  1 +
 .../Data/system_generated_metadata.json       | 30 -------------------
 .../WorkbookMetadata/WorkbooksMetadata.json   |  5 ++--
 3 files changed, 3 insertions(+), 33 deletions(-)
 delete mode 100644 Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json

diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json
index 50df6870d29..7f8a4b9ec6c 100644
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json	
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/Solution_CyberArkEPVEvents.json	
@@ -15,4 +15,5 @@
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1Pconnector": false
+
 }
\ No newline at end of file
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json
deleted file mode 100644
index d66173db840..00000000000
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json	
+++ /dev/null
@@ -1,30 +0,0 @@
-{
-  "Name": "CyberArk Enterprise Password Vault (EPV) Events",
-  "Author": "Cyberark",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CyberArk_Logo.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\r\n1. **CyberArk Enterprise Password Vault  via AMA** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **CyberArk Enterprise Password Vault  via Legacy Agent** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of CyberArk Enterprise Password Vault  via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
-  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CyberArk Enterprise Password Vault (EPV) Events",
-  "Version": "3.0.0",
-  "Metadata": "SolutionMetadata.json",
-  "TemplateSpec": true,
-  "Is1Pconnector": false,
-  "publisherId": "cyberark",
-  "offerId": "cyberark_epv_events_mss",
-  "providers": [
-    "Cyberark"
-  ],
-  "categories": {
-    "domains": [
-      "Identity"
-    ],
-    "verticals": []
-  },
-  "firstPublishDate": "2022-05-02",
-  "support": {
-    "name": "Cyberark",
-    "tier": "Partner",
-    "link": "https://www.cyberark.com/services-support/technical-support/"
-  },
-  "Data Connectors": "[\n  \"Data Connectors/CyberArk Data Connector.json\",\n  \"Data Connectors/template_CyberArkAMA.json\"\n]",
-  "Workbooks": "[\n  \"Workbooks/CyberArkEPV.json\"\n]"
-}
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index aef81a2dfff..2e6e0731b36 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -5024,9 +5024,8 @@
             "CyberArkEPM_CL"
         ],
         "dataConnectorsDependencies": [
-            "CyberArkEPM",
-			""
-        ],
+            "CyberArkEPM"
+			],
         "previewImagesFileNames": [
             "CyberArkEPMBlack.png",
             "CyberArkEPMWhite.png"

From 93fe4f5aa4676d621b18b05ef4127ebb6a8992c9 Mon Sep 17 00:00:00 2001
From: Github Bot <noreply@github.com>
Date: Fri, 22 Sep 2023 05:50:27 +0000
Subject: [PATCH 4/5] [skip ci] Github Bot Added package to Pull Request!

---
 .../Data/system_generated_metadata.json       |  30 ++
 .../Package/3.0.0.zip                         | Bin 0 -> 11016 bytes
 .../Package/createUiDefinition.json           |  11 +-
 .../Package/mainTemplate.json                 | 459 +++++++++++++++---
 4 files changed, 443 insertions(+), 57 deletions(-)
 create mode 100644 Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json
 create mode 100644 Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/3.0.0.zip

diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..d66173db840
--- /dev/null
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Data/system_generated_metadata.json	
@@ -0,0 +1,30 @@
+{
+  "Name": "CyberArk Enterprise Password Vault (EPV) Events",
+  "Author": "Cyberark",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CyberArk_Logo.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\r\n1. **CyberArk Enterprise Password Vault  via AMA** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **CyberArk Enterprise Password Vault  via Legacy Agent** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of CyberArk Enterprise Password Vault  via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CyberArk Enterprise Password Vault (EPV) Events",
+  "Version": "3.0.0",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1Pconnector": false,
+  "publisherId": "cyberark",
+  "offerId": "cyberark_epv_events_mss",
+  "providers": [
+    "Cyberark"
+  ],
+  "categories": {
+    "domains": [
+      "Identity"
+    ],
+    "verticals": []
+  },
+  "firstPublishDate": "2022-05-02",
+  "support": {
+    "name": "Cyberark",
+    "tier": "Partner",
+    "link": "https://www.cyberark.com/services-support/technical-support/"
+  },
+  "Data Connectors": "[\n  \"Data Connectors/CyberArk Data Connector.json\",\n  \"Data Connectors/template_CyberArkAMA.json\"\n]",
+  "Workbooks": "[\n  \"Workbooks/CyberArkEPV.json\"\n]"
+}
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/3.0.0.zip b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/3.0.0.zip
new file mode 100644
index 0000000000000000000000000000000000000000..cae4bcde7f36739e2f86803b299c5a153800576e
GIT binary patch
literal 11016
zcmZ{qV{j!vw`gNbY}>YNdt#ngC$??dw(U$jNhY>6v2DHi>iu}{-dneOS9NvwuKlxX
zb@x)11BXBd0Re#lk!R%8956(a?t}#ai6sI7!TPsq;$#MJF;lk^H#4`gvvRSrw_~(+
zwzs>~_O;*W!1?aW54x$1AkcF93+y1#y58kE)ekU5$kIa;Lq%^9-_RphA*<}LOZR>H
zBs|mCSbtdF2m?r1%N-0If2MxD1T_xW%Qs-M5aBlttgkQPD^R{h5#5K>i_@c?-y>yW
z`W5^&o{>lV5c5AP)!~<J%$#i9)%bAnqEBN@)TkO3njxjDH~FrYq}YM~Ep9!P%#4~P
zojV~+SDdz-&$EaC!E+Hj3uOt@CPBNS(0SC@5CGaQRb#}UJg!<-<z6Fw-~7?<8qrD-
zAA_Ba2WMw$gj=8m7Yf@V4-|QbXEk6c4%Tc>)nVUxp|e_9BV`i}&Y@UJP|bmVEq9NU
z$c(TAV+b4=&(xt|%e2Q5oq71=^Lm^bI&<siWNoq8{eF5r_3o())vE<Qer*ArvM;W`
zwY42v`ewHEYeO;Vk96CRFOCFNvO{D{SOHgI6yYC)8f<844Msmx68V3N9QTu@{Q&aR
zq|{`nPu7(J(jj*<N)vY_nHkbVk2gr621>zznb;G>Fwmdw!<z~;=zM{+E>#qY1`Z~i
zvf&q5L!j2nq8Qjh1>kx+e5Lx980LYGaq7&T$sn~aD&nW6oP5tmSjlW1!HsB%@<*LT
zRQJ*83*gK_Gf4J~ROJ|4gc%Rkm_135GmX3Tz>m+=AB@~7`uKmzFDC4di3}7C`#K>+
zI}D{|_fZV`SA*e0q5ApWxIT|gh@>=n+Upy%7f8l}PzebbeD<%Azu`nZz?@C;$`ax6
z)q^QQKn1~%@0iM+`E72wR(~Hc@xz4B?E37C4)H9;*Q=OOLkTp{hH0HT%ai+{z=EsQ
z2E>6ZB~7X0@1GukDqpnDv$WfC3wa6{C+eWkU-U#zSln>CIXO;gkOnRpA^t{t5{z3t
zT;3&*9-u%C*_R+TXpe!8D?5B91^A4Nn~a4zSyZstnWD3JSe<afngvc6iB#LRy5V8a
zT`LUN97P5mrrgU7gMcB6*TOi%5+essCnJL@(I=*Okg=vII+#1Pp>%UgMXgoIHyhQO
z60b7vJSHt=oPKzwu*F1}HHS#)M(2Q5!Wg3bC_r!|$U^Nrq>HKvia`7MyK=shkd}pD
zf)UVi`+fl=d(a{<j>wNuZFDX&MApD+p2*7>JUe|IIe1y;8yWneQRcBuJnorZPIbIp
zv)6$xO=fYC(KJAtOrli4V;Nv1Q-TjZKq_>yaWHG~{+>UB8Y3V*ZGOylz=OmqCHbTC
z&~#56!t|CyoVYYK4go<38hE)gEeVwSs(I*@;UOQ3kqeu3C*=%PpT;=Drk)ww7UV<I
zqw3uCDP-L+I%qCmLnyskH%HmK+phvkTG9)wMSU(w*n}IN-)A98Bs@o60+ZT>FRY9Z
zGaD^w@~mw7{2YW@U}_x5)VejwZvG_Vl1yP+K=b!g!Q0WxRR&%x#n_g3r9<XlhqYpU
zs*<%nRDAw!TuH~`w85!SNrR&rM^mSs?Iw;$V8GPHHc6{pwMQDY^<w_q!oF}$hh`g^
z)G<RTO&P;@<sG-xyQG>9;8jV>q%X}O70v%VcyNsq7!+epSSjEWtw*leQ=k`KN92B?
zL~CHK7G2L3)?esRVFnA$@!jVaK(|CEy|<ddh)mC{`yRCD)l%g|E*{hZKC_#)pJJ~Q
zPcWr)xzmN$)vv;~ZJo6&+;c<8zL7n-w?&uI=XE2fojWXXkhI4^?RSZ>uNAG4F87i>
zIp8Z2L^Qb<9Nm?H_Gd9%Xa7X^yz8-Uq{3K(8ZV!|h53YZjW%zh0Uwp0PkIU|o@ldY
za{*H#vjI3jdEjE!F@i&P#4P@X$8~UDx;GJ1Py8cLQ%(7Bk<%n&k!uc)Qv_Z-{Vs)*
zB$ZD6+cwykEWwdM*Baxv5;ShIdbQeR*7Ty0W@=XiH*&fn2f{0p5%>bmo6s`B1EvC0
z+?GqfZm@D)?!PN~)!(ftkC{ioU62d{p#YGquGPr;DcCn}{A{5r{p0_c8D~*hLRzQ3
z$XoK$g(C7baAH#qXD&h9v)m2c61g{#SerUJS#Srlh>eP`D;-9Kc97EAv|l-GVQ%UV
zN4*zzq^a4;P}*4-S^h9yERv*qaGIZf^2R=zjRf2JZg_Ha8j|s3vyBwu@E*dDIYdwt
z{HQlVy}w<7&y3nB#{D53`5yT7F4FeE9%08;>&c7N1~AW}t>^P8zEw7!C5$7G>=!bM
z$g`I)E&xzl#7vaQl&dm3`m}JVB?!@(U@pEABx!1+saZ9Iz{G5L1O){N?z;I976DW5
z3BktKJi<?K#K=7v4Cq*Kd+AO57Tz_{=#O2kzOGoE53vr@$OSECd@{P8%Sg59W#j_u
zSJpw{<EL4XgooQ%d-upbe|K|m;akOH19L9_ZF}v;{EL8F@y(s+IpD4CGUs3#)p=i$
z)zY$Bkq;qZv;8WH9#A7KluS--qJa=`>RO=a3LK;-C5)o8BEZWB3u&!Hb(PbkQh8=`
zJ(&yGtR+^08o~(p4uSXI5h$GRfpR+sCm{nX_0|k_m?J-A&@NXg)jq@l?jVz$QWM3q
z_<u^6)tM9}-G_!p%e<>XWTv^vAr$RPW3m~~^c#d0&zQ^2TIw}%N6NdhB^%n$IqY?D
za-AH<`b$|Kyp<LyljAR?KoQ=V7mJRc@J<o6EPkwd*kH_B@B~7)U6=P&p&^InJ(^Qr
zJorKemmro`@!Pv>5QIax*%*X$oxW)Y<B~kd4iogm8>);fe2=bu>*c7=m@$2JmKAT*
zw!cT@>boddKnhnIn9xepLhYDoa@C7dr9R9+2BY5t-d7uCadV&dlS|9fJDKQsF_gZK
zn3?$i%1*58WVrXIiXl1ibEQ-won>r&SHxyIROL%9$;gNLsm`f+HY+nPRB5fi&7_o=
z4_TaF%N=sP-yEHv)u#5@BncGpJ=}fu_td@}dS9;29+ksG7U$Qh9n}wvKBW=7CI)&~
z+Kq7U;-;5PYctk{A--A1<+fLf0>Ec{D-2*!9n{D*yz3uVv@l1<untsgnxZr7IL`YA
z!(1+jzzXoeEs^=hC$-R^BRDM1u_yChWxa4Hjsb;k`mq>w7Uy<4t<pDQlPn>cOQG4%
zwLcUR`MJyPd$uGOk`X25(bJD96&X8lU9%W2x-y9heU>d7uEvND%v+*%TwC0xh3pv^
z?R-&m{=l2=?ajyItM{$wU%6HMtw&fcT2{-rQ0D`yHk;rGc4?}3d>^4~BnS9kaL#+!
zL%8wso`VQ(6t4;joovEgBn>HrJRpcVL8(kbl;Q%VXwpcvf7=3EUSIy+jtGG&{}<YW
z&nvW6AqD|S`T_w#`A2&|fR)`(GoXX*Kj!<toTu-tx$(R0ALkh}_6qdtq{R}<w^${4
z(~vV%lkA1DYrBWi$I-_EF|?gHP=|q?`JYz;NLJ*rgl&Nk#`$8_a`&6fhRw(2wS9dg
zru#yfY=vsx`z&i2!?!U4SC7M~SBr=jEV=W<SL^;1D3`o@KetVK2Nb`hY%EsRPoMR8
z?}vEOyyeQ-cH*p_kuafl>|7drso;$}9^)h@;lMA-cD4q-BRAA=H|hvXzWs;nJB+Dr
z$zvLJzkH<0_;`;gJk``LLic);XO)aC6Na0VSbvZW+FVE+AMm)~PLal|IN7qf;Yc!i
zT2T4Px8)J_ZBWiId5FzkVG#YEjI+i50ndsTLB#7u|C_$9ztuyqcvT>pj0t-paF4xb
zmjdDUEri|ELNy}+AphD{Xs=aJJS9}-VAimRITHwUSH~i1O^bp^WMHAXGk4;~s~^lD
zkLe;{l{ZFJK2uE}CdnMoizHB}<rakg(~$A;UV1Uen;8;$t)sm3mZ{UXo_HRje7U19
zx~=vXlD@1hx;Du}bi6On^w`#%Z&5Y)gR3*gV>-kmri1;Cv0y?4UD5M4-J86&fh62_
z<lCD9tA5h}uM3l=gE&_Z<XOZ*H{1RsgH28vq8+vDMT!BIEKLGiLQ>d#FtRdm&@7+#
z1=yU-@@KiMtFN>7vk@@=rdNIZb6g*I^k(oV0ftS26`sDAaRJ#T6fY1ya5fi_L^cyC
ziWz6@1V*|Gxi|`G#;$0-<cuA*=eaZJmag3*PaD5OGj5ZR<EC106p3FErkx>9yNBg=
zuqKvo4OZu|J3F$BUkU6wo50D{&ruQFY^G5Y+vc9od{5x)Y0cbP+x*g^{gzFzH&LNb
zx0O;WMN*ac0f}la1TVS$GJAQxRq_b;{1|A{-jcWv*8d3NAr$izN?32*Q&zLBBGFi-
zs1EmlhCVFQmpJcrVkfb-GL=%<U2oCgCQY#+6oR`iGwD@{-ZX_c2g%(Fin>XnLr1kJ
zL&}s_u5ch3I%VlxmBptCC;7&XQWi$~XE<-NA{c&YWl3*jlQ+9Js}kszWvyFh0(492
ze`hNcU2b1j@b5N8O$vUm<T9d6b|Hu>o>j<6$v&_&dCxftD}*yV-b0M@Zf-v1&HjKx
z84^MnN(cVbI95k`XpGR%QP6$RY;Ci?^1L$z<DMO{LBeltdO@rjai69Bm3p~?ZlAXM
z$4?#3T_p(G6;)3u12+nt!sDh?_NG8P2pUfIW*1TVrl1r8YpnPqzQ^v|B1HvqGVGz(
z$?!*M>N4AetfFv(M_}WGuN`jKhqmpX!-hDrSn!q7Ir%9h1m_ur+;|E#DGF948}<2j
zPTETT?ehk!^r2D;(MD};Z21G)agoGvxagucIz^{Q9#;QTo~l`4&$!a2VHZtB#c75u
z;SxNFj45cry?M!sT9ostqMN~B1@?0pRT`8<PRXaq1^&;0>D|DHcCF?J1CIw*I+|y*
zrR56p-AwX>eSAEkm>gR(KK)w4ixR8drWFxcWWU$@Y_Ac&HfOtdtGVTK`Gm_2p|XXb
z)<D2WUYi;_P!MZ#1Vs<|Zv_TPx&i;Vu_l&rVdSrTw0ENoxW%)>Fz5Tk?v{Kfi29^C
z*4`VI9ZA7oZmHer8=1%Usb-44U(=uSp++3tt*gHj&-=*hd~J>cW%L$s=`3S=*mUi@
zWD*t6^Swbe*ZXDzB=hdy0iDvJ87F#VVb9&0IoQ!6BK7E!JZxcPQH%G+hV(C>kf=kZ
z74MF7Ak3XNws%Q!KnumE-wvS}eAyIYJ0@sZp{2F-FDlg4r;-0oCHJ9;wm0LLMM*N@
zivXXjw*%AZ4+r_O6qW=F!n2|R+M{7N@e4d#E8&aA*g0K7$bAG?SWmbemUXw&S3y8Q
z*{i;-8t3m_QFO|E*gh4+A8tY{`NN3>%*t@s#&F{aMPET*f%C&~yMMm!u|h`NcGsDq
zv9}iE04I!Y*d_?s%q-y4>`?CrT%;9BgD9E7dT17?UWgRBMJX6DeB`J*?cF{<UO~#H
zG+~ad-vwhpsr$28+y~3A6f6Mb(#eWBNCMf8b@7azVp1teSm!>{no|h55E!K}EA}*@
zaOv7y(fC1GsfzKg$h^HPfk-VMsc+5Ox7#w;6m`JOVi6@;v>q=HmrXto3xdH=mLLAi
zZL^$ORN*u6HN9(-&mlQYSLAti&V(6ZC=~m{&X*t+&_DZ|xEbca(m0waH}e#}s6Z1r
zEq^|;z|zzs@Itr*Mj8J?0APfugP#_A;2T|}Xg<===i0#F<NiSeN;<|k8}R2S4hf%H
zX;m%k65)&qg0!B^y3aBu9Gt2-Wx*buN;YQbVW`Bxji3GwbA-?gt0szFH04~C?_%ev
z{)iMHBCn}gSn%@Sh5|OR&R)UN5}b&pc(`<l46liPdHGBIG@*7F;_*CJIAu~T?u4-D
zrX5IJ+YXx33tIidM?Du~OEYM{(ojET97EBQ7~@BGF>aM9Uv7l;U6hk`K$E$i-{usu
zHJx>*g<K?sGvk?fsXorY(BTfMwh{h1ptB*DV9?1EF7HJj<(GQ!D*;;SD9$5sgX}|2
z%iGeB!S@h1K<EKlKF)F>q-kV*ravN77s+iiYALW)%W>%fZsY#4@EBa5R*!K}-)IcA
zjHnaihsTB1TW$RK*b@#1dN=F4EPIw0JOQBDVhoOE^h>L&g`--3L~9UQy;awHF4Z=j
z=q+&6NQ~VdE?e7HV6fTI1<0s^9HEi0+Aojt$#zS6mUU?dXlb%ClU@*3)z?1?X?`kQ
za){HVm(UrJe8-o9t+m4jx8VNfgw#J<XfZVtK{LERR|guhaXqX;EYEz#PHO_-a|!yL
z(Sb?MmhA5Q42s9jAEJUe%Ag%%JQ=G|N|)5gzw!j&leKKXbQxa?v>Q-!m4BUMed`oZ
z3Eb>@cl1dS^^R^?I<Sg}7&O@r0pK^F={B&v>L6q6M2I#f8l2H+>~oSwwk@rGvl(#F
zm^D8QZONqEkmL-zv~?MJP`B~vy>k0#!bj6Ga~UM~BxRHCVo^Pyl#;fI4+=)<GkTJ^
znd>&_Z!lia;MilW{zYwfm_185;FLObyJ6=>$V=1&#Nf4g7)J|WxPS9#K!syFCLo~k
zF|9JN8u9&7KQM!gfbuisWaL*yk+%`}JhL3zkOqhNv?DqiumT@E2^bE7YNvQDYhw$9
zUA{5$l*z(Hdtd<pas!Y7W^9V6$c0MI1wVacD%U4u(<#BJ_rP%0qo@ew_*^bPVCy)C
z0RbxIG=&49SfQX*sfcT0z<^-HLL2NZB1%SE^lFNdEOOwfAaRtpV;eR@f_zjl3_GQP
zImSa7+Z#SCFx(LYWmbiKyk1#5YrYkH>YQaYw;CmgDZB}F3Kogt<SuDMRdg=WY6_!0
zIzloJ<_>Q^ePOx4WP54oi_x>&pWdu~heGO!XDkuBaf%{W{sK-m?)VmhHkFLbNwq0d
zB>jWwXC@^*=3_uS)611Smys^L<Itrl+M`WzWv^Ev(3ogD3p7?+*AK$!aeE)R=`GLf
zb@2gTW0c+rBaRHI4cxf_xO7(}DB0dKOUQk)C`IX)3`2<rN*0nn)(Yb!K?t69$G&7g
zWB%1cFBz{JBebOi-2Ia@!4ez!n8oelQpQbrHhm=iik9fRMgY!{Oj1GX8Zxu>qfT_V
zFU|O78@-L2{p@ghT^mVqjqd5D-v1VK5~4lr?c4h}>SL?Vy2v5cAn9J6Z~D`Lb2Q;j
zPVsVGNBs)KZ<4R6ODC1SfKIA1u|xpVT(6QGrHAVpVhY&qN@W1&H?-<t@ZBkv&}Fp(
z$A2|wJl1hS8$cp;lpJV)LyEyEZw0F$QRt@101&Z^qLbBcr6HiJW^?k8w_OR{0!YBH
zDTymvGL_KQxq1BT<1MrgX<_PszkfYBLw<*Xeb9SA7hlzdtKpYig7;1-Kt7iYw-e2E
z{u|4B7Fin%PeBg91i1oJT9C#MePI2~40SjCsvWo~4evIF?tz4ai;8Rv5M3%jzQPaI
zWlNPx`_p3P2CpkXA43bX?_x@TiqoRQX(oZNjX|}$pURLU8Jk4wTf-hl5wGoOU!6V7
z``lW}QR7;I*$@=1)t~cN&9GrKuA|e4yKT>GKsi)OuZbTDn}?}5$oz|CU;U)SwlAt!
z7*9iLL1&}2VoPV>jsGOc-CCP<pbw?CLdM0?ty8=0w2^=+Mvrk^^)h5`6|tvpxKTsH
z0rM@7P3W-bW6une#xpHc;=;L`&rF~WlSU^96UwYzPW-jUNt+|d&L@jRQxrewId?1k
zVJ?`cMr6meb}MmTN9gM6%W^L8e*dbN=p-JA2$9yj(NV>tzp5&ScYQ_#rs_vDF);Q`
zCR;2}2`q+(X;6G^$Y6?!>kQBkx^6KJ{}~&~TOkN_7vxL;boTVj6nb~<j|ox3)o$7_
zAee|0E|p`dh?kCf;@9}4(UbJ8U!VZX(+q}4VRm88Esx>FQ0u4wLijkWsaQ(3h=g?8
zwmSLz*ZQJaT;R#6LlPLHP=JNaHVU()J=Tr0nG)FlXNF&$%hXotG&&gSvG}|>bkDpg
zQs*)?PJBRODk0LSG`uYaoOPD@dsj>Q7eaFNQVv5)S>==$a7|IIEbDSL?r%Vrf?PAL
z1ads|WPa6r25)k|v#pR?UG$mArDj|C$_dEd36$bKb>}czRnRbclL#SP+CJ7@S7#;I
ztZI(CSPhA&bJ!hd4SwbdEIo}n_0JvLVXvX7eAF#$OC<#Ac!ByHP1rcYj6Bes4&_gY
z)>SUvYT4x;#0<}IWhQW@?>l&B3aH*+B;aS>+Q>c_Iv?AfV01Q7loNeHBV4*~UU2>l
zX}*ByI$gYC$oj@jFa74yy7t-DwAU<#JM~)9cX_SPC+ttW{v)PZKvm;Q>Ys90Z-2Vo
zSI&Z04lO@~wC}<GyGP<z)f-bsWgk4|k7KZb<2Gqek=kJcO~J@k<mER5qnhgR6+}6G
zoGhDR#TBEnYZ8q&6S=Atp+c3SrywQM&1@=`Dp)Nz%6f>zm7vjkB#-65k&S?11(wxw
z(9j)tY#$tC55BPrFy%GM26wWtZqQBrA43=$9cAj((DwBr8&G#`;5LRrqf5a}=lg9$
zbgfckt6ef9{tCNil*+A+TN=<R{`$LCLzS{<`t^|Hy--sAp1UV*%nh=7qH-^qx+j`8
zv(9u4&Is%mZv9iw5Q}=SFuD-%<`ASDxNGyMbs&m%K^dDw$ak&5@mS<rxTYVe!7<sj
zQFD8i0EKm}B=Z}GP_qt}hMP}N*lZ$dpcORc>=m%T56-%j3HzX%xTBpHb2+EH>hSbf
ze*%+R%K}c%0<LGkHZb@-hryv?8dJJzMEp3*W(-s7Z%K?7&F&roMt!1Vx&;3P!6ix)
zg`NlsrdJ}wAOV|@anm$m2bB0GKv?`w)-$O$@$0Ay<Ga5pTk6D=apA*HOj$?R0n`Jc
zs}2}D0lev%i%Nw&;|tnMD2wd~zdJ4Xbt^;2W<Lb&$;PeRsj15vI0WT_))uF$HdnjB
zf5A8Lu`2dt6*)Vuscj+Nqc+jY9T8E(##qL&f`f%8**)En;k%53b&cy$E`C){x^Ens
zh91AVVy0fXw-TiL&N=jGs+CO)Pv2PU?>@{sM(uogAi22~jSnP?l#PPIjupQ8^LG*M
z9?k+St<Ms6JF)ju(-vuMp_fYv|Cb}a!TgD-sBd4guP;+ajSnQ$)|$U(#g&EOo@6Od
zPm&Iu3n?|cm^RDUVzlQ>Rq$(k_y>HYq$^orCj=hN)FL3xcG2l%4D5PeHzBq^NWE=-
zy9Q@AN3KMe`nJ0cO&x7~a-jC|`HV-*UT7~N4x>NZ|Fe^S7R`Y@NAi`Py01!M&0i<E
zbn77se3WzCApPPvY<030P9ex$8#$s`a~D#m&EtbkU?VLmVze|Nts)8nDma>#Z%B-}
z;F0cq5O1F(07a%kn|`7x?~nxV@4U#DDd1#-k>aDnH{jUB?LfW*cFVS8*!(sH>=1h-
z(u2kR1{67c2yR$Ja0fKNkHV)fps_9ZlM5%jgLhh0o8%^h;7ZG65h-$s<oyRH_N?6Y
zAZC8jrq3?_4!Pjg(P&s>(IX(nS4#UrGn`nVw?CUwZT=dOur!=*mS{zR-@2oq$*OjF
zWG;I4?5`jcJ}}=_u9{Tk2hQcD`0xXDe%DmMGJgNbDom_62CW>o^E7L>ei7p45=*xW
znd$}gU14S?to2|MHXch9P_-isG8@j-HAv#tYVxI{VfDL*-Oa+$v2VzTYUn`ld;Kzd
z4=$Q%G99+Gi%z-<Q@BcfPmL=nM`b@eGzqi)P-FWp2sXy7Hha3f!qrT2hL-Cuy!^ma
zP<cqv`I2h}wCWP#l&JkL9yT^V+{Z-nSyY}7Gw4_|Ty^uy&#v{$c{xJNk2Ax7tY(UN
z`K+O`Ba+Pt+r(hkwlTdu*EZ?i176*O&lyafm#$`stO20ut)2=-e=XiPruNdxzb#%}
z(~<gr$vy*ShhC?)iS3Z<dMw_ij$P5_@$}1vKdXI<o3D7iO_K`^D7_Dias`}lW{k|H
z9CO#mqJj0zQW`&}5uVN`2zj(D;%&zWJ-w0CYMN#0i1Ipuk(4%LZIj#~sC}rM)wfaB
zw^5J2rcK9s_$HpT8}85HbN<B<haM{Cuj&5G?!M`M&l%wlcRp|nk?x<tHwZqhP+RSg
zTkVPS^-y~L&OAo;jDgEjfq$_;hgSHr9KCm+IZk{LybOc4u|VXR?n{=Yg4eGpGCna^
zOaTpVxFx@!D)Bs9noQBCeOZ{_7y@Sd1aCaSPkbC3JUPUBR8w*4+x;b7MQ%K32&@D*
zmjYON`3i0z2X^Jmu?RLVFN#*znBixlBPHI?hl^Iyw9xsRo|7iYKb`F7!)Ot!y!PH1
zOyL<O)Z;WAT*APkcpX>kJ=CtO?-G_Z$B<AofayUG&{_>n<Ll6>vbO>c1WTQ<n_!mR
zW)Bn@PFIyv{HxCs8y_58e<As*{9Z#DH~9{H^ludt5#5!9sRFCVDTk2T#2Wn5uCq`A
z<xXJYlX-o*PZd-^i`;!h0KtMs5SK|q7t%t$qw>5pQSE=^2NYSpqOu%Pu5b<o^-)0F
znf00g+YJ@+JwS=S`f?#^-sSVz=CYDqw}4>MlD09Gu|!`w>b=MXDD1qkw{62k0py;B
z+viHrtz0{P!L9xZ@V5DLcXvfD-f}#`3PPxML17VeqL=mX3Dw0tEIldpejERHAmIXO
zdQ^9@DY=LUXMB{rt)!3r*~ol}Tt2$T0a$NP!W`n>9JsC*ELr>;BmImmlppAY$e=K>
z7i)wJBbc&q(J*y;KST%8kWMi<Dii3Sr%zOO`L4(=fatp?EUx4IxBqxFPPA$Jut3P$
zhvaM3E`{xJqxu^^r+&?^=ZtnS#S0XQCbOb9eql-^?mfS741u_QD=8S*VDBq<zf&8=
zbrh;%2owx$KBj^+KZ$FTpFLFTYk0BZ4M=>L;K3qJpSsvlw&ChA(3o&244r}_#QDKf
z@v|{RC(oN70-A02S@lI&F@t(*DT1Ra5lmdF=m!t5xpyAhvqESU5(Rtwz7Hzsr^Of=
zmpzX;&RI54f53#)*&mT$4+S*sk8Alk_MsyCm+>8y?I@Ap(Fsoo-y-uT?=wK``jyFo
zFG%`h>@CSe)fzU-jyRmB{@m)<9S>KiF*#~ZQN$z$L=o>NfRR|_k?mTqnH$1K5y?nL
z2DDW&uv7ZCr#B!`n_uClBp%-oYDej!ISA<5adwyEX%?s`+c;7bL9DAXCWOjH0xIR9
z1*p%6^&>x@%Kc%i>6QTa0OEB<5qQPo1>B5*N<{VmqLQCl(0Dnt9U_IMZC~7`;&^vW
zGsV;~9@;0hMU(%o;{!}X^}Ld%_WW_wk_%hz9Z1JUDdZ9DZ73DY4?+BTC1P*Mm%PM7
zLga(1td?>ehXM5{&Rr}gvS;4EB>s{g6k{Igh5=AyBq$pidQ_2%Y>8ltM{Rlz#djT3
zNwRi{L#~)1V0zW&be!d=ZZ|dI;)^%2qIBth(INean^pDgYknU>^s8H(@5A742JcI4
zre?~uGgY}^-VpIPBoGgjv8i-`#z~F5PyWGJ!Zln8DHf)qGpT0Lmy7>?Nkk-5c4`EN
zO(PxD5p-`5YN~{86!b00EWO)BjczxJHDk`vY{os0hP&^Hj<#=-d~<iq3?>q`1B24h
z6`WI%eqcfLPOJ^zfe<C6+Rhdqtowvdw$4Zx-N-Gv+iE10PP8GCUX&Mf>}ty8{kNk~
zZ8nA%&qlu62+uW(V`g1gH)lw>N5WnyUlKeYkG;mwZgO!MtA8H@t=FRF-N>RmD4(68
zBBLrxDi8XK{y{lkp|EEC$|1Zqi)-w5Jdrz8A_68%9Y8eg9=P<w;d#O+ZvAze3KNvc
z*yd(`X!>e5{IW)CN$^_82^T5tIV4Jqw(uIW=IiP+FG7_`T~{!~c~~rR4mSQL!vb<S
zdYG+4usZ^ob{e_|noB#il$2Z|`q--!YVIVsMdo@?n70f+k8UI(m6TU&(3Gu6H>GRp
zwE%~!m<xpsgZ^2HV<A*3(x#27<kChs_uWb8<-I^@t<L^x@dHa8=F?^PwY&XxkNV`}
zHch>VMZ<>Y?DfTy``)$pi<rW4Sa<@F+Eu2fg5SK%U?jJ!PtccR7j8{ZAfky64~wmX
z)|<f-dTI(m05KI0u^aXR$Zwqy)@>-=CFH$0=jA+*?1M!#?i=j>S{1nt3iU6K$WGq1
zveq#T2F_T$bNmRDMGyHY-QOF#a5=2W)=&ZhrTF$y49j)%>*_k)vaX3i^00@Z;IZ2%
zu;DKrL~_1Rwx}p-Q|5^9+4>p)9-;Glo2n|SZ8n8RBa2zjo14+;;A{6?q^)AmkH>b2
zRSq*eKF8h{8X@1Z+vPmCK5l}1ItciE`ooYmrA)E*D5U&5@K7ZdZ0?u&z2f1%OGS7)
z3y3r$IzCOY+2}dhBb>G@F-Wv`<Jpe~guVXX0aZtX-+?!>@sQaWhemOM_l+K=^gRbs
zy7}=;g-_gfo1*L-F@N)q?@sXI2mFhJ+FxoQ9Sg>6aO?^6e0$F5b?MNeSS7AI_}YU`
z?Eq9~U;|oDld$E@%>BpMg6B9od&t2v5_!R_*ydBqBM3BDI79<RzuXns9-1wW;8c#w
zc=UZkP&?=}D;mYp)759PwBKoNVrN9bmOOAmf1*hP5as3ecm)_5!%K<vPCZ%95k4I%
z9EOU<(RY?Gj8d!B&;t4rRNHxnOnJ7{WYgg*wE_nQER22^dK~DZ6nzbJGLhw;gESVk
zXH0VleAUY%moKLjUu%r*=?M3IKJQckX1A0u@I?@gsrYqZm)zKTeW7$XE}EimmBekX
zPH|=2(WJZbrLzc+0?5LxcKgo+L!FF3y6ZcoUiXTr(*)R+4K?l__t3kQ&uyrwT!$C@
zuzn6Jh1fi%AiSullX5L9(O5qtg!=cwdD)I8m*cLcpBLr#lOsrw2~|>U7PTy@Yg#BS
zkezy^4bZM>G56W?IaEU_sW&wWYwS?6H`Mehp1ikGJa9~oFCDa58xLykEpD!QyBZNT
zkvXHP3r4GFvI<hsQ@D5Wo_6Qmp*}8&c3$YlmEHQD9ra`%C1Tg55i#pn=xeCwEHyK7
zS#1~(nguuM<6>{;&}lC*V$vhd-(09|RKaOQ;Q3k03LG_0im9#S3ceJDWm;btc*oJ-
zOx`WC$enu{S+d%jx){E%c>Ez!^=0*b3K>zsj>*3*fmZUm!}1g@pAo-+$^S{HdN)j&
z91)jiz9IJNk-siYBVu+e;(_B4L(!q)``aJo_FiVjFKp(~xIj3p;BVw;1gUxWqz|G+
zTnjWz+3Y(^K7C3hR)O)e3{u#0375AU?k>8lm`(1cll}GBx)A3<`=-#BT?6>mV4r`l
z;3+|w?|ls2ny9vQA$?-M3#!uhIq<~6Urpn0%=1?9XWuWp9uHqIgsXCk+#9h&s9-RQ
z7aX7Wmu{&UA`|XCn$2mi!KNmrmp|UY--F-pH&oq0_RKwTwG=xca=WWTea6SPTSi2`
zq`;h+{31^3saG!D_9jpg@V>ySS0=N36qdl84mts1q^bxcs~$1lc!{*dBom?}YgSp?
z98<{NzA_eAlRVyHndW^N@Xe%vpZacV801%8^W$eVnG=BDYmH`A+LgkhMBk6S7FnFO
zg-PmP$?_ID4UB|zM`D@%H9V6BtU@)S*~@G=yXP5(m+aM<Y4-nKwIfpbP+yJ3F$)+y
zwdGIK5K0=`0Hs(nCXmsgX%OjUa_FIK<BDt-4KDn`BR(CZ6iqrUgf%Pk)ldKVRbe!L
zDW%V6`fZwUHkjfaWXLh``F80%<%9=&ZdDd>zWwx(%OI+W!dR?0*kQ+RQ#=uQERTFi
zw#w++0Q-By<ax;R4}$l22LFjWOowN8t}Wxo+_22xO$qI-SzfhX6^A2c;7|&+ZfD=f
zaf9FSut1XbW&?Z~*TB$^RD=Eu$jF6=a@9A8Kl;tuh=XJ6un-6}As8cI;saS;6@Jta
z5LnXbK}-kEqZQe&Y))^UC`RkJNW3(M^RwM<-G=+PGWD@Y3bF8#YO1Ja6BFv^LQ8Q*
zb>oY85SO;r2A=RfXT}{Ic=fpU-Co}%VaoKYJ-*hu3n*WoX!bwSIGos%=+iAB!Pjau
zqipi+0tVa$3i-D@9vq%v{S>LMD&}`))`9MH?epr1lV`Z+?tVXie%W4si~%2LgWXyO
zy8eO7>1Op-_93PpFqS8E2<*D-G@Z0xfy#r69c|y{F3p#0$(XH@A64sh6A<Z<i0@^h
z=X4-JFNir81D+@?k>?}W;s(WIRw^n5$;bh7Bc;y})od6n-9cjRKy%Ez#(mKJ@S&^G
zI#(T`#p5|+UEUDuY1d#O*ox3l(oBw-sr{?-?dbcTe*g-G4*tLUrvD^_|F8Wo_UV5w
j^4~Rv|5xGapUV0_qy}X<NT~m$fc@(s|3*97|IGdm@K_jv

literal 0
HcmV?d00001

diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json
index d09fe73c567..bcc2a5fe8d6 100644
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json	
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CyberArk_Logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n1. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CyberArk_Logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\r\n1. **CyberArk Enterprise Password Vault  via AMA** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **CyberArk Enterprise Password Vault  via Legacy Agent** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of CyberArk Enterprise Password Vault  via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This solution installs the data connector for ingesting CyberArk Enterprise Password Vault (EPV) Events in the CEF format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for CyberArk Enterprise Password Vault (EPV) Events. You can get CyberArk Enterprise Password Vault (EPV) Events CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
@@ -72,6 +72,13 @@
                 "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
               }
             }
+          },
+          {
+            "name": "dataconnectors2-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for CyberArk Enterprise Password Vault (EPV) Events. You can get CyberArk Enterprise Password Vault (EPV) Events CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
           }
         ]
       },
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json
index 4f522189409..98dc1e873e8 100644
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json	
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json	
@@ -40,50 +40,46 @@
   "variables": {
     "solutionId": "cyberark.cyberark_epv_events_mss",
     "_solutionId": "[variables('solutionId')]",
-    "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+    "_solutionName": "CyberArk Enterprise Password Vault (EPV) Events",
+    "_solutionVersion": "3.0.0",
     "uiConfigId1": "CyberArk",
     "_uiConfigId1": "[variables('uiConfigId1')]",
     "dataConnectorContentId1": "CyberArk",
     "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
     "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
     "_dataConnectorId1": "[variables('dataConnectorId1')]",
-    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+    "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
     "dataConnectorVersion1": "1.0.0",
+    "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+    "uiConfigId2": "CyberArkAma",
+    "_uiConfigId2": "[variables('uiConfigId2')]",
+    "dataConnectorContentId2": "CyberArkAma",
+    "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
+    "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+    "_dataConnectorId2": "[variables('dataConnectorId2')]",
+    "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
+    "dataConnectorVersion2": "1.0.0",
+    "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
     "workbookVersion1": "1.1.0",
     "workbookContentId1": "CyberArkWorkbook",
     "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
-    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
-    "_workbookContentId1": "[variables('workbookContentId1')]"
+    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+    "_workbookContentId1": "[variables('workbookContentId1')]",
+    "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+    "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+    "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
   "resources": [
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
       "name": "[variables('dataConnectorTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "DataConnector"
-      },
-      "properties": {
-        "description": "CyberArk Enterprise Password Vault (EPV) Events data connector with template",
-        "displayName": "CyberArk Enterprise Password Vault (EPV) Events template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "DataConnector"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CyberArk Enterprise Password Vault (EPV) Events data connector with template version 2.0.2",
+        "description": "CyberArk Enterprise Password Vault (EPV) Events data connector with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -99,7 +95,7 @@
               "properties": {
                 "connectorUiConfig": {
                   "id": "[variables('_uiConfigId1')]",
-                  "title": "CyberArk Enterprise Password Vault (EPV) Events",
+                  "title": "[Deprecated] CyberArk Enterprise Password Vault (EPV) Events via Legacy Agent ",
                   "publisher": "Cyber-Ark",
                   "descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault.  The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
                   "graphQueries": [
@@ -231,7 +227,7 @@
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
+              "apiVersion": "2023-04-01-preview",
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
               "properties": {
                 "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -254,12 +250,23 @@
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId1')]",
+        "contentKind": "DataConnector",
+        "displayName": "[Deprecated] CyberArk Enterprise Password Vault (EPV) Events via Legacy Agent ",
+        "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+        "id": "[variables('_dataConnectorcontentProductId1')]",
+        "version": "[variables('dataConnectorVersion1')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2022-01-01-preview",
+      "apiVersion": "2023-04-01-preview",
       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
       "dependsOn": [
         "[variables('_dataConnectorId1')]"
@@ -293,7 +300,7 @@
       "kind": "GenericUI",
       "properties": {
         "connectorUiConfig": {
-          "title": "CyberArk Enterprise Password Vault (EPV) Events",
+          "title": "[Deprecated] CyberArk Enterprise Password Vault (EPV) Events via Legacy Agent ",
           "publisher": "Cyber-Ark",
           "descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault.  The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
           "graphQueries": [
@@ -409,33 +416,352 @@
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('workbookTemplateSpecName1')]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('dataConnectorTemplateSpecName2')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Workbook"
-      },
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
       "properties": {
-        "description": "CyberArk Enterprise Password Vault (EPV) Events Workbook with template",
-        "displayName": "CyberArk EPV Events workbook template"
+        "description": "CyberArk Enterprise Password Vault (EPV) Events data connector with template version 3.0.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('dataConnectorVersion2')]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+              "apiVersion": "2021-03-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+              "location": "[parameters('workspace-location')]",
+              "kind": "GenericUI",
+              "properties": {
+                "connectorUiConfig": {
+                  "id": "[variables('_uiConfigId2')]",
+                  "title": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA  (using Azure Functions)",
+                  "publisher": "Cyber-Ark",
+                  "descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault.  The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total data received",
+                      "legend": "CyberArk",
+                      "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "CyberArk Alerts",
+                      "query": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| where LogSeverity == \"7\" or LogSeverity == \"10\"\n| sort by TimeGenerated desc"
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "CommonSecurityLog (CyberArk)",
+                      "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    }
+                  ],
+                  "connectivityCriterias": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+                      ]
+                    }
+                  ],
+                  "availability": {
+                    "status": 1,
+                    "isPreview": false
+                  },
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions are required.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "read": true,
+                          "write": true,
+                          "delete": true
+                        }
+                      },
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                        "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                        "providerDisplayName": "Keys",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "action": true
+                        }
+                      }
+                    ],
+                    "customs": [
+                      {
+                        "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+                      },
+                      {
+                        "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+                      }
+                    ]
+                  },
+                  "instructionSteps": [
+                    {
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "title": "1. Kindly follow the steps to configure the data connector",
+                            "instructionSteps": [
+                              {
+                                "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+                                "instructions": []
+                              },
+                              {
+                                "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+                                "description": "On the EPV configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address.",
+                                "instructions": []
+                              },
+                              {
+                                "title": "Step C. Validate connection",
+                                "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+                                "instructions": [
+                                  {
+                                    "parameters": {
+                                      "label": "Run the following command to validate your connectivity:",
+                                      "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+                                    },
+                                    "type": "CopyableLabel"
+                                  }
+                                ]
+                              }
+                            ]
+                          },
+                          "type": "InstructionStepsGroup"
+                        }
+                      ]
+                    },
+                    {
+                      "description": "Make sure to configure the machines security according to your organizations security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+                      "title": "2. Secure your machine "
+                    }
+                  ],
+                  "metadata": {
+                    "id": "1c45e738-21dd-4fcd-9449-e2c9478e9552",
+                    "version": "1.0.0",
+                    "kind": "dataConnector",
+                    "source": {
+                      "kind": "community"
+                    },
+                    "author": {
+                      "name": "Cyberark"
+                    },
+                    "support": {
+                      "name": "Cyberark",
+                      "link": "https://www.cyberark.com/customer-support/",
+                      "tier": "developer"
+                    }
+                  }
+                }
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2023-04-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+              "properties": {
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+                "contentId": "[variables('_dataConnectorContentId2')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorVersion2')]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "CyberArk Enterprise Password Vault (EPV) Events",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Cyberark"
+                },
+                "support": {
+                  "name": "Cyberark",
+                  "tier": "Partner",
+                  "link": "https://www.cyberark.com/services-support/technical-support/"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_dataConnectorContentId2')]",
+        "contentKind": "DataConnector",
+        "displayName": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA  (using Azure Functions)",
+        "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
+        "id": "[variables('_dataConnectorcontentProductId2')]",
+        "version": "[variables('dataConnectorVersion2')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+      "dependsOn": [
+        "[variables('_dataConnectorId2')]"
+      ],
+      "location": "[parameters('workspace-location')]",
+      "properties": {
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+        "contentId": "[variables('_dataConnectorContentId2')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorVersion2')]",
+        "source": {
+          "kind": "Solution",
+          "name": "CyberArk Enterprise Password Vault (EPV) Events",
+          "sourceId": "[variables('_solutionId')]"
+        },
+        "author": {
+          "name": "Cyberark"
+        },
+        "support": {
+          "name": "Cyberark",
+          "tier": "Partner",
+          "link": "https://www.cyberark.com/services-support/technical-support/"
+        }
+      }
+    },
+    {
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "location": "[parameters('workspace-location')]",
+      "kind": "GenericUI",
+      "properties": {
+        "connectorUiConfig": {
+          "title": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA  (using Azure Functions)",
+          "publisher": "Cyber-Ark",
+          "descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault.  The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
+          "graphQueries": [
+            {
+              "metricName": "Total data received",
+              "legend": "CyberArk",
+              "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "CommonSecurityLog (CyberArk)",
+              "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "CommonSecurityLog\n |where DeviceVendor =~ 'Cyber-Ark'\n |where DeviceProduct =~ 'Vault'\n  |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+              ]
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "CyberArk Alerts",
+              "query": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\"\n| where DeviceProduct == \"Vault\"\n| where LogSeverity == \"7\" or LogSeverity == \"10\"\n| sort by TimeGenerated desc"
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": false
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "read": true,
+                  "write": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
+              }
+            ],
+            "customs": [
+              {
+                "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+              },
+              {
+                "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+              }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "instructions": [
+                {
+                  "parameters": {
+                    "title": "1. Kindly follow the steps to configure the data connector",
+                    "instructionSteps": [
+                      {
+                        "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+                        "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
+                        "instructions": []
+                      },
+                      {
+                        "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
+                        "description": "On the EPV configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address.",
+                        "instructions": []
+                      },
+                      {
+                        "title": "Step C. Validate connection",
+                        "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+                        "instructions": [
+                          {
+                            "parameters": {
+                              "label": "Run the following command to validate your connectivity:",
+                              "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+                            },
+                            "type": "CopyableLabel"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "type": "InstructionStepsGroup"
+                }
+              ]
+            },
+            {
+              "description": "Make sure to configure the machines security according to your organizations security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+              "title": "2. Secure your machine "
+            }
+          ],
+          "id": "[variables('_uiConfigId2')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('workbookTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Workbook"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "CyberArkEPVWorkbook with template version 2.0.2",
+        "description": "CyberArkEPVWorkbook Workbook with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -453,7 +779,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## CEF standard custom label functionality has limitations and to solve those, here are the field mappings done for CyberArk data connector. Refer to the table below for further context.\\n\\n|      Old Label     |       Sentinel Label      |    xsl KeyName   |\\n|:------------------:|:-------------------------:|:----------------:|\\n| Safe Name          | DestinationUserPrivileges | dpriv            |\\n| Device Type        | FileType                  | fileType         |\\n| Affected User Name | SourceUserPrivileges      | spriv            |\\n| Database           | DeviceExternalID          | deviceExternalId |\\n| Other info         | destinationProcessName    | dproc            |\\n| Request Id         | FileID                    | fileId           |\\n| Ticket Id          | OldFileID                 | oldFileId        |\\nThe workbooks outlined here are simply examples to get you started. Your enterprise's security view will dictate what fields need to be depicted in your workbooks and Sentinel's ease of use allows for dynamic views of your Vault activity.\"},\"name\":\"CyberArk-Workbook-Notes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where OldFileID contains \\\"Error\\\" or OldFileID contains \\\"Failure\\\"| summarize AggregatedValue = count() by bin(TimeGenerated, 1h)| sort by TimeGenerated desc| render timechart\",\"size\":1,\"title\":\"Errors within the last hour\",\"noDataMessage\":\"There have been no reported errors in the last hour\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Errors within the last hour\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| search OldFileID contains \\\"error\\\" or OldFileID contains \\\"Failure\\\"| summarize AggregatedValue = count() by DestinationUserName\\r\\n\",\"size\":0,\"title\":\"CPM errors, by account\",\"noDataMessage\":\"No Accounts have failed rotation\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"CPM errors, by account\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID == 7| where SourceUserName contains \\\"administrator\\\"| distinct SourceHostName, DeviceAddress, TimeGenerated | summarize count() by SourceHostName, DeviceAddress, TimeGenerated | render timechart\",\"size\":0,\"title\":\"Logins by the Administrator account\",\"noDataMessage\":\"There have been no logins by the Adminstrator account\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Administrator account\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID == 300| summarize count() by DestinationHostName\",\"size\":0,\"title\":\"Endpoints most connected to\",\"noDataMessage\":\"The PSM is not being utilized\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Endpoints most connected to\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges !contains \\\"PSMSessions\\\"| where DestinationUserPrivileges !contains \\\"PVWAConfig\\\"| where DestinationUserPrivileges !contains \\\"PasswordManagerShared\\\"| where DestinationUserPrivileges !contains \\\"VaultInternal\\\"| where DestinationUserPrivileges !contains \\\"PasswordManager\\\"| where DestinationUserPrivileges !contains \\\"PVWAPrivateUserPrefs\\\"| where DestinationUserPrivileges !contains \\\"ConjurSync\\\"| where DestinationUserPrivileges !contains \\\"SharedAuth_Internal\\\"| where DestinationUserPrivileges !contains \\\"PSM\\\"| where SourceUserName !contains \\\"PasswordManager\\\"| summarize count() by DestinationUserPrivileges| render barchart\",\"size\":0,\"title\":\"Accounts most accessed\",\"noDataMessage\":\"There have been no retrievals of accounts from the Vault\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Accounts most accessed\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (22,24,31,414,416,418)| summarize count() by DestinationUserName| render piechart\",\"size\":0,\"title\":\"Successful CPM operations\",\"noDataMessage\":\"It appears that there is no management of credentials\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Successful CPM operations\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceAction contains \\\"disable\\\"| summarize count() by FileName, DestinationUserName, OldFileID\",\"size\":0,\"noDataMessage\":\"No Accounts have been Disabled\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Users accessing accounts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges !contains \\\"PSMSessions\\\"| where DestinationUserPrivileges !contains \\\"PVWAConfig\\\"| where DestinationUserPrivileges !contains \\\"PasswordManagerShared\\\"| where DestinationUserPrivileges !contains \\\"VaultInternal\\\"| where DestinationUserPrivileges !contains \\\"PasswordManager\\\"| where DestinationUserPrivileges !contains \\\"PVWAPrivateUserPrefs\\\"| where DestinationUserPrivileges !contains \\\"ConjurSync\\\"| where DestinationUserPrivileges !contains \\\"SharedAuth_Internal\\\"| where DestinationUserPrivileges !contains \\\"PSM\\\"| where SourceUserName !contains \\\"PasswordManager\\\"| summarize count() by SourceUserName, TimeGenerated\",\"size\":0,\"title\":\"Account objects accessed by user\",\"noDataMessage\":\"It appears no accounts have been accessed\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Account objects accessed\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (302,359,360,361,412,411)\\n| summarize audit=makeset(AdditionalExtensions) by coalesce(column_ifexists(\\\"ExtID\\\", \\\"\\\"),tostring(ExternalID)), DestinationUserName, SourceUserName\",\"size\":0,\"title\":\"General audit information\",\"noDataMessage\":\"There just isn't anything to show here\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"audit\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"audit\",\"sortOrder\":2}]},\"name\":\"Audit information\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges contains \\\"ConjurSync\\\"| where SourceUserName contains \\\"Sync_components\\\"| summarize AggregatedValue = count() by bin(TimeGenerated, 1h)| sort by TimeGenerated desc| render timechart\",\"size\":0,\"title\":\"Conjur Vault syncs\",\"noDataMessage\":\"It doesn't look like you have Conjur\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Conjur Vault syncs\"}],\"fromTemplateId\":\"sentinel-CberArkEPV\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## CEF standard custom label functionality has limitations and to solve those, here are the field mappings done for CyberArk data connector. Refer to the table below for further context.\\n\\n|      Old Label     |       Sentinel Label      |    xsl KeyName   |\\n|:------------------:|:-------------------------:|:----------------:|\\n| Safe Name          | DestinationUserPrivileges | dpriv            |\\n| Device Type        | FileType                  | fileType         |\\n| Affected User Name | SourceUserPrivileges      | spriv            |\\n| Database           | DeviceExternalID          | deviceExternalId |\\n| Other info         | destinationProcessName    | dproc            |\\n| Request Id         | FileID                    | fileId           |\\n| Ticket Id          | OldFileID                 | oldFileId        |\\nThe workbooks outlined here are simply examples to get you started. Your enterprise's security view will dictate what fields need to be depicted in your workbooks and Sentinel's ease of use allows for dynamic views of your Vault activity.\"},\"name\":\"CyberArk-Workbook-Notes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where OldFileID contains \\\"Error\\\" or OldFileID contains \\\"Failure\\\"| summarize AggregatedValue = count() by bin(TimeGenerated, 1h)| sort by TimeGenerated desc| render timechart\",\"size\":1,\"title\":\"Errors within the last hour\",\"noDataMessage\":\"There have been no reported errors in the last hour\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Errors within the last hour\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| search OldFileID contains \\\"error\\\" or OldFileID contains \\\"Failure\\\"| summarize AggregatedValue = count() by DestinationUserName\\r\\n\",\"size\":0,\"title\":\"CPM errors, by account\",\"noDataMessage\":\"No Accounts have failed rotation\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"CPM errors, by account\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID == 7| where SourceUserName contains \\\"administrator\\\"| distinct SourceHostName, DeviceAddress, TimeGenerated | summarize count() by SourceHostName, DeviceAddress, TimeGenerated | render timechart\",\"size\":0,\"title\":\"Logins by the Administrator account\",\"noDataMessage\":\"There have been no logins by the Adminstrator account\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Administrator account\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID == 300| summarize count() by DestinationHostName\",\"size\":0,\"title\":\"Endpoints most connected to\",\"noDataMessage\":\"The PSM is not being utilized\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Endpoints most connected to\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges !contains \\\"PSMSessions\\\"| where DestinationUserPrivileges !contains \\\"PVWAConfig\\\"| where DestinationUserPrivileges !contains \\\"PasswordManagerShared\\\"| where DestinationUserPrivileges !contains \\\"VaultInternal\\\"| where DestinationUserPrivileges !contains \\\"PasswordManager\\\"| where DestinationUserPrivileges !contains \\\"PVWAPrivateUserPrefs\\\"| where DestinationUserPrivileges !contains \\\"ConjurSync\\\"| where DestinationUserPrivileges !contains \\\"SharedAuth_Internal\\\"| where DestinationUserPrivileges !contains \\\"PSM\\\"| where SourceUserName !contains \\\"PasswordManager\\\"| summarize count() by DestinationUserPrivileges| render barchart\",\"size\":0,\"title\":\"Accounts most accessed\",\"noDataMessage\":\"There have been no retrievals of accounts from the Vault\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Accounts most accessed\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (22,24,31,414,416,418)| summarize count() by DestinationUserName| render piechart\",\"size\":0,\"title\":\"Successful CPM operations\",\"noDataMessage\":\"It appears that there is no management of credentials\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Successful CPM operations\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceAction contains \\\"disable\\\"| summarize count() by FileName, DestinationUserName, OldFileID\",\"size\":0,\"noDataMessage\":\"No Accounts have been Disabled\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Users accessing accounts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges !contains \\\"PSMSessions\\\"| where DestinationUserPrivileges !contains \\\"PVWAConfig\\\"| where DestinationUserPrivileges !contains \\\"PasswordManagerShared\\\"| where DestinationUserPrivileges !contains \\\"VaultInternal\\\"| where DestinationUserPrivileges !contains \\\"PasswordManager\\\"| where DestinationUserPrivileges !contains \\\"PVWAPrivateUserPrefs\\\"| where DestinationUserPrivileges !contains \\\"ConjurSync\\\"| where DestinationUserPrivileges !contains \\\"SharedAuth_Internal\\\"| where DestinationUserPrivileges !contains \\\"PSM\\\"| where SourceUserName !contains \\\"PasswordManager\\\"| summarize count() by SourceUserName, TimeGenerated\",\"size\":0,\"title\":\"Account objects accessed by user\",\"noDataMessage\":\"It appears no accounts have been accessed\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Account objects accessed\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (302,359,360,361,412,411)\\n| summarize audit=makeset(AdditionalExtensions) by coalesce(column_ifexists(\\\"ExtID\\\", \\\"\\\"),tostring(ExternalID)), DestinationUserName, SourceUserName\",\"size\":0,\"title\":\"General audit information\",\"noDataMessage\":\"There just isn't anything to show here\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"audit\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"audit\",\"sortOrder\":2}]},\"name\":\"Audit information\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges contains \\\"ConjurSync\\\"| where SourceUserName contains \\\"Sync_components\\\"| summarize AggregatedValue = count() by bin(TimeGenerated, 1h)| sort by TimeGenerated desc| render timechart\",\"size\":0,\"title\":\"Conjur Vault syncs\",\"noDataMessage\":\"It doesn't look like you have Conjur\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Conjur Vault syncs\"}],\"fromTemplateId\":\"sentinel-CberArkEPV\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"
@@ -498,17 +824,35 @@
               }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_workbookContentId1')]",
+        "contentKind": "Workbook",
+        "displayName": "[parameters('workbook1-name')]",
+        "contentProductId": "[variables('_workbookcontentProductId1')]",
+        "id": "[variables('_workbookcontentProductId1')]",
+        "version": "[variables('workbookVersion1')]"
       }
     },
     {
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "apiVersion": "2022-01-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+      "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "2.0.2",
+        "version": "3.0.0",
         "kind": "Solution",
-        "contentSchemaVersion": "2.0.0",
+        "contentSchemaVersion": "3.0.0",
+        "displayName": "CyberArk Enterprise Password Vault (EPV) Events",
+        "publisherDisplayName": "Cyberark",
+        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p><a href=\"https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:%7E:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20\">CyberArk Enterprise Password Vault</a> Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the <a href=\"https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm\">CyberArk documentation</a> for more guidance on SIEM integrations.</p>\n<ol>\n<li><p><strong>CyberArk Enterprise Password Vault  via AMA</strong> - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent <a href=\"https://learn.microsoft.com/azure/sentinel/connect-cef-ama\">here</a>. <strong>Microsoft recommends using this Data Connector</strong>.</p>\n</li>\n<li><p><strong>CyberArk Enterprise Password Vault  via Legacy Agent</strong> - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the legacy Log Analytics agent.</p>\n</li>\n</ol>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CyberArk Enterprise Password Vault  via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by <strong>Aug 31, 2024,</strong> and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate\">more details</a>.</p>\n<p><strong>Data Connectors:</strong> 2, <strong>Workbooks:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "contentKind": "Solution",
+        "contentProductId": "[variables('_solutioncontentProductId')]",
+        "id": "[variables('_solutioncontentProductId')]",
+        "icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CyberArk_Logo.svg\" width=\"75px\" height=\"75px\">",
         "contentId": "[variables('_solutionId')]",
         "parentId": "[variables('_solutionId')]",
         "source": {
@@ -532,6 +876,11 @@
               "contentId": "[variables('_dataConnectorContentId1')]",
               "version": "[variables('dataConnectorVersion1')]"
             },
+            {
+              "kind": "DataConnector",
+              "contentId": "[variables('_dataConnectorContentId2')]",
+              "version": "[variables('dataConnectorVersion2')]"
+            },
             {
               "kind": "Workbook",
               "contentId": "[variables('_workbookContentId1')]",

From 6551d8c709407b576b99dfd3a1f42c06ae3fe18f Mon Sep 17 00:00:00 2001
From: v-rusraut <v-rusraut@microsoft.com>
Date: Fri, 22 Sep 2023 11:32:40 +0530
Subject: [PATCH 5/5] update zip

---
 .../Package/3.0.0.zip                         | Bin 11016 -> 11503 bytes
 .../Package/createUiDefinition.json           |  12 ++------
 .../Package/mainTemplate.json                 |  28 +++++++++---------
 3 files changed, 17 insertions(+), 23 deletions(-)

diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/3.0.0.zip b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/3.0.0.zip
index cae4bcde7f36739e2f86803b299c5a153800576e..8d44b6ef97bb2f0ff2367ab4289ec48f2b1ba0c9 100644
GIT binary patch
literal 11503
zcmZ{~Q;;Q0)L>h-ZQHiHY}>YNTc?aJn_cL#ZS$1vE}QfH_eM<2!%XJGj?CD(pE5F6
z>{!Zj;1C!fARsUx;(A<K=QB)|$FLwEBSat|*#GUCxmuXGTWHvbTUgpS+PK>|IWpP0
zIXTW~J2)MVqJA3|{+JX!8c(3eY&rl2&nT5Gj7<BlajnMQjBy8I^=0%@^)0<@@|Zjp
zb{7j)jTWskZi=s(mmum~tWu|dK%W3h%b@pvPB{3Vv*GlB+W}Vm+S-|E7ZeQoz(KWM
zj2P*<IpJg7*CN?TCn}y><S%mOr32Ae50;fsy}NB-jP|&?Zk6f}SyElM%x52NdLS!K
zSF@%-f@#rtEj+HR#q!`g`dHUU5k(-%MldR>7ZSa&mHvacHcH3=weFy4<zj?B7rb`L
ziQikyB}^PV5k6~u-*g9{$Ohev6^&|{t@(H&C}Sc8m#{Z)Wp%;-A9I<(@xvBO0y?8k
zwEZCmZJ?i)c3M?5I1aoR)TwQiJj?cUME=<a@!1MD@)R(*&ca-4@8_7fImz1qwnHEI
z{#B#HC-?I5Q(eomvul;vxF^ZNh$Y5elVt$gs_as`%4X2ip-sb>C7*EYB2WLgUCBco
zkO-7-)|veNnhR<~o=wY}yLt|zX<srqanz>Or}_9BsR^%A<)gu7ryk(u?hJ>1E-y!Z
z>pGF3Lr=JW7fCL8n<-7yKLb$)p$H-zBbm^@Mh`lJ)*F&?^(>@unI>a)-&*)dBx(ny
z2B%4DN#G$WV46LjK`uSPV=io?P5GE*5%542Q1gD2x+yEVS~*5{oTXL=U{Ec(`?b;k
z)YE)arl~@tdm|n(@PVN}(ndBLI&n0ZYY25Z4rvAsfLbE!4Lzr<h2XvYSo)~htHl}(
zi#H?>)r#5UMg2@y=<U_qr<96M&*eFPKbbnO;Fh}CF$y7dWhTqL%la%?35ySh8bE$@
zdmOnFPON*i-tC=Eje0dA3a5tQKGDINn$NRsfI#TKnLqx>EuqbCc}1;n9DzsvWg^SB
z`*P<DdU-fk`HW6x*o-HljTtRp>Q4j@uEaQy2(uEZppmjS0g2;R;XcTSuc)+}pk13G
z4$uAK^M>Jk^>`o2C;|6pfH1z|$_%Z!CSgD^LqxW}Bvk^WhATemT7K$AV)8Xbt-l?C
zUO>f7e~QNvW^p`#B7>4S46^S2cru_;;?3IBl2Zv$ph91p3^JIXXF0ZV9t4hcT_7RY
zodV4!hMRA65ouPQl#2xZW1Iy)-43fh4FM7#%c#el*Rs=_2onsva-HJ%ZWN5Z2=k7f
z9n|WV!C1Me<68<^jleK1U8?-~AW}<?qIndV!MBie6{NjFENPG{oj6l;pro#WV!h`P
zhUOd-Q&=kg4FbHJclNyvV*5k=tRi!_481cgKynrc8#2I_iK=A6s~v1DQx*!o07m@C
zAovLU{ytR+ZG@fx9+`r9zZkoLs17qyBUg}7B>gD_!>xm}*M6n6&wce2y70aCE4xt`
zEfRIC76TNMVHkEOS03>Ah<!f;JNEb(F;3mmH#0~Iwr3n+JMarehNqM+?v)JP{z)Wk
zidJ=C$3~2y3z6}2(N;sYlHic35hJDMB~O&6PdvZK5fk)`LZ6yW3@MO4|7_v9kWMFl
zK1^loeLc~(K=3n?>nYzT-$IgQn5=6r{9#zMPRbbLx%1o~^ralatainvfK-+M3&2l-
zv1Z-v$4&L02n^z}l!BHD!ujQY?aabGU8_!nUOHSq%1zSjSyn&+eyOfwc^}UrAujYW
z3%mr|jYeJ&F$x<+sS|4#<7h-_Aaos9U@}%QtoXYb(pm0PV;l~b6>v!=h<1i<`rv;Q
zyF4}H`AKHkBaVg_t#V%L=#6*3xq!1uGB=mr=|vw^|L2TSuaECZmxx-#<2(8*@2O)s
z5BQLKSq{6-hZnDx*En(dZ?%1e<B%MOr1qDJ2lBG!ZY!;J*Ktrm3>qEt1ul7|l4HU9
zvLsQ-SfL~k;*!osK3Sszn!qgbE4c*UJ5nzy;$e_|7{(iyZxXW8f!!K?hm$$UA$6o0
zrX|0FrQLZj{U0(1`2@@i&J5A+WOQhkDVwF;G9l<~i+z!XY9WMa&YF#OZZY|`nN-z4
z7zdhzDkriasqgW;(|oeI;2W<3K?QNykg$IXpA&mE(Nt8d3%koo(E?GAYANG6BH<i0
zCxxf!yd&E}9?@mPGc{kfd5Ue9ri)jm>Rk&3BNWmCHd}cI;I<N$C<|RMl_U>ld!n6K
z7N5lm!kv?~NlTn?CwNp^bLrsUqDPA_PMo`q)=(m96nOy$K?1U*S6F?O!ABRpv}Wwd
z>Hv4e+V=SHqn*~Z`0u1!oYquy=n3oYwaLg#s`)j6R6|~`K1dN_Z|I<VB%~LTTc(>;
zvVZpn?-580?`}WhHCGU3x>0;5Zm8&Q*Vf~vwYBO5m|AdJv%=OM1w6j=aAd!67I4lt
zma{&uZIybuFi}s^NllbBl&=)#Dwtfv-G|KDw|H6hfekR@CIF(L9!IdNgimNP;^q{`
z;hjJU%Ir~X_P-Yd1RigQ`NRo2Ev@X|k|a2?^k`$$ha1r*xDtNCGjO?cP-D#lJ6WjN
zo1B(@%>&+C&M8;l@9og5UV1LFjf|{@&#c7`jZi5Y;ueM58fPZ8<3jL6;nf~prk+wu
znyl9-GiF3Fb~bq&bE<<+>TSO1j`;Ila-L@k^4m4sN+)BSl|P}X&byn%O~tm)vapRM
z?A5`4n0+T#tF4b(H}rCx4Of6jtc!`Ucb&6nIg(SPj}vdcO(0_x_0^-b?Gq(7gDp0W
zP0V~>j3J;0GmzSX8KTL>E!Ka_;hBTxITy@6TJ)%mZd8$Nw}`(sn96>623SLT|9PX2
zpg`w+z-*Ye^CHO9pAx-fTc25H##@VS)^gdg{9HFU!|U~_;;)*+&NLiaWyJoPs|1`<
zN?@n47J?+B@@fzktPV(tzKMJBjI+?YzvNZ^-S+ihsfTCiqV#7hT~7HD4wj*uo{zVF
zEaA<zG?2tL5kJmJ07D+HUZu6;RLFEukuX^8C8BGnb+B`-hj@b&*?WleI)A0d|MsB$
znWAW!0kugPGgQ?-@pgCESN-&;`l53q>fK7w8r*Ju=30ibkzG4h(8>25RyxN2x@z)N
z+R5`dl{O*<bKGP%QEsSnQ|1`y=mt327GJU@ObMCiis<34W%4{Wwue=};G>cWU6sqA
zd+AAF7eQJG(^ieSPlWrLYPyYhm@EI?ejOUz(w?qxgc_s6bk3gV5c7Bo(Tyt$lP}2Q
zY%8~Cy3&pQiyHU*ul-o*wWqK~SoB3#qiw-qS(@i}ln%6S7t$JQT<O4g!#Qq!XXXwR
z)Vt4?;f8LzUEei>`N*&BkzxWXA1^j*OUgeUW-RRn(hgU*R!A_)-mgXoux1?B0$eLd
zYsXq+e{xgX%3--t)%o1ZLqw&TFD%wcZBDp~fiAk7k$kxa*xz5!%Kw`Tmn=E80%W?b
z5XeA4!azYmQ2!%C2NN4dbqfb)`~Udx|6{^`27YdvT&+JrR?qx<oo#l0lE`u{Ia~@&
zmm4;hHosp-ZP>gH;^hFz!#QLcp?^zSdkenu!=Pb>`lHPG6Undn(xvx6czBozK4HF|
z=7La~?slj17qeULvh3wctY?W{J`NO}EZ<hcXDf-HYK0GzpRbIm3L3wit!@pxtlGNR
z&-mT1A>kQbB4<zXF&B1j7;gJE&TgTu`jhs6dU$Nyw~cwCPS8Kp1#{Nsyqe*HukcR&
zjP!}+qR|pB*yMP+`yDh>RWl8gk;qD5%!$ENG3H(71mWRYK=`={H*4<SQA{OA>!w$1
zFogH3u|3iDg2I7a3i(FPV$!d&?iP*_Snkli)gGhp_Vj3inQeQPf3wuCz~aQ#3MzN@
zt@VE(pQslw@{txdkqFJEoEVu;o_3<rAYH7N3I<8?og7}&>51KSA!ns^r;)Zhu9ilp
zNXS@A6r<t~qF>YamPu7aPFO5WBbpsC^1!3C#RL6F@z3++!`9t8m0Lc*|9#s>Bod0W
z?D~dxmkdAYh%-W0rC7^OIQ4hBakbfRXl#Eb=qnod$?8iI;B{ipAMqeqcE836rl_wg
zfAyjf*DniT$#5My<pb(~Peezkcv~C(3e@_ZU}O+kER>42jyUI@uq8B@G<rNjD?07}
zRPcozJXNcJ8|ri1ZEeEKNrLQ0v4HHdx`pK3s^@5A!eiNcvaDpm-Fqy69eb7>o~rB7
zhDm>@i@2f)tA2qmPfxt$UAHSu2?-CeJK)h(EsO5zPOmJj1#ZRuh<U|Zg-OE*K5T)Z
zKLWFJb-bh#lt(S}P8GqWq%Pw82-c?cR@4@@D4fpuY>!<JuP^`IS@IOyDh*vQw-Ify
zc;~|$LofF{b>`o2tNrkG;9k=9L=pQubQ;<;<~*%!l6wjd?rlGG9n4^W$wR^sJ=~=N
zZY*xD2E~~aO$<RGBj?*Z5N;_cH>UK(a3-X2oOp^q952;o_&vtAX$EN_o!<v!W1AE&
z9o=@U2%ixRE!&V3*Fm{_z%5l}wuo<4{Z9PtD3!NGB^bIBl_S2s8Tbch%d(>0bFHx}
zH*ekRC%Q`cr_K^#ohw1i7UAZTq=Ze!mTjE}37onW9gy;sQ0ta+9$in67sbE+Ff&_j
z=5&uNj<6?=AhO7!d8&c@*b76K0L8SyuJ8xXKT))b49SCWGt9VNJSoajkZAR?u_Ge(
z{;AsDQ3vo!py8ukHMvq-bs%Gy9_6Kx9)+mxv#y!WUeZ%iEnr_c=>t_YPhocgh3BLm
zvut~Y_of)Z^>#1`mQf=wsnp=D*c+GNnDO+U+MYF~lCGceEKrhuj1XYN{(iOR<D@#I
zzV}$W$U|x3lkP%y?qbNAap#g*Qil0!LRW=)5=T=xs=M;^RDv^$_!uqBd}lFCy(;2>
z1l~dhsK(33%i|CNsAV(}xEaZclPfP*tP@5KgU80&t7Qh3sjC=?>bPm?IU{&QB8wlC
z^CO=}$T7DRyP{foDnV+jsfU`oQsUppNp$AcCqKnDKveV&8NSi#y?!a({G=1;K6h{y
zy@7~iLOG25kP_m`qq;M=K2eqtxLQ_ixT?rF>qgg|MCf-eaLj}mM88pGuTVO9Sa$U0
z4BJPI&zyp#MqY_2&eOP5<-I18r_8JxSP)Yk$>yh@6?T442Cirn&ys6=G{3Kt9_qCq
zVJv&iZ~G`$_sXPWUP*IpF&6dI#!^Gf8Wi9^6jUnxTKj%#D2<n~Ndb%5`=QffJw7fh
z)sv1nn@Ct>y7vX(`<Nae(>UWvisvCaq)r_Twv5B`HC{mibNdNRtsRJx1TqzDavra3
zVN>-@W?Tt$_B+t^xmrljk9a$wP2Y|Vr^%_|Pax6RO5#HTAJlOn4;x9alpN6>{|Yry
zVV#8gU?rempx#3XnGIeqJ_!u=dp}f2tD%`WlOr5VqzThdVfzthOBK)G<7UCiFF=}$
zFBFS@^xGZ0J6rv{C5205+-S2voo!FY7G5H8;g}%Cv9N;CaDd(*A&XTig|g}dC!+h|
zwR2JG6|1imxJ%OrIla81G{q>#&7mf)+zXt6I|rxII)x)|=govEH&Eg7-1zbx$m0v%
z=Ooe+Gp+g*Oy{7lv*IZ>A~uvEuxwe%fF<V|;G%gTgLVB(z656qt2ylm@9>}Z^>-w^
zFW<;Dhk79=C4N9VbwxRwg-Z4pxG(6rD<KsSd%T>u&0$_l`Yu_w&R7^@g{R4zt~L7a
z5jlfS9W+2dGT0?6cncMLD<R|<SQ@TqR9AbO7-GkVPX6tMH6{zM0mm$DpHtpp`g5t0
zB_yR45j#j8r*d@~nu%=L+^=Pce{#9}qh~pS+&{kY$cO^fD-a;7sP-hVJ&v8KMn37H
zz`MOpb2F#`{D*ujZ-Moy+6ktm&^Ve8-KlAMoEjUn1r@c(Ch`LDABB_33h-@{n0Ar*
z1vQXYvo7~6gm$}FJyP3j5rhu)K(&@^^?+)1VoYglDH{_2Rj+pIQ!L^nvO>KXN4_=1
z)7?1oXZp3iWq6e))YzJZ94*$n@={#0iH+xR8NC7j?2J1fudX5E9f>1hQXLsNLFr)l
z%-Ql)<T=>C#2jUCHx4WulYW>*AcA{SKn~SK8Xox(lB~fan%*|%`a2-?kUa^OC<fwd
zh5S|{j(u0hpMtr|lMxW{ygP8LJdCsA5i<#=Zl76k^@vI=j_W7+L5mKjEpS-z2c-;U
z>%bB%uJkx>Bx%tbtE+c;_PC~uTR)(g!X%at5NksL{?T3cIN$okrYLnJjUo+V?^0Kh
z%dD@K5{A!Oi<<RZ6OtO5mYyt5D*8`n?Gy179t@BBDmY7Ui^|FDMJh5;z8ti+OgeOD
zpCN!x4|vG}1rw?~qcc-V+yzQ-Fa^=H-{33Lj_n}--QuWj;UcgnK#UY1R;q3uyQqj0
z?m(J6B+ZS~F6U!7E1eo~xX*y4fC=I=KpxpxdiPX?d$`n?n;EDzKohzm$!(z6sfcaf
z3-4ghObKk6?uIPFnySL2X!sPZ8sXBG&|e8>y&01cKb3o1)+g|x!IIsg0Q$=yKG3s>
z)Ds7#P0^wd^53E`kz=V1hQ(sCy{Ximw;C6<<>@7`DPmI`p<xG!cu2BMRhyIgTok;|
zjZcvbmKk!i4BN*4!Q-)p?!s~Xi;Ql^rESHQEYdrEWC582-D|We2f~8Z?Su$_SDg_}
z(Z_OzXiW24urP<~j5*6w&ehoxsD@*fE`U{0mYB1r0=pH(4y|H@b!ZP7@!k&ND3O^~
zo!)@pulg55Q5Ck%`l6{+bn_l?Zp%yfn$?|ydSTRVvR9IRo-D|Lw0;hf6It&kdezU?
zET%)3wV3ttt2i77I{qArwq_mGDD}9^Qmi8H{!AK2WSSznH2FZzGb2_veVQ1@EOX%9
z&;zwtXgS+i)SFFgEtdlyJz8?|#6YHJJjT3(M3^;@zX%HPp_~ZGb0YW4tST&wh_`80
zv_L$GvHs57)<D^{JGxxCDoYO#mVyx}c;BaNfz>R%46f6=7st0<;n27a+X_!%OC{AD
z%vl|$RR*)K0f${z%L4V~d+JJ~r*POLc94uje@~Q+H&z5c6$Sa)4L75r<%3etV@%0c
zOa%9EsSUG<13}g<elEenG>I3TQPTltC-j0P5#YOJ4l{vg4_=X_uV^ja`6pUo%u3dM
zaK~R%y%tqBvj?_;gD7NMH4Bu;)!C2i`yZXm&784@_)wswTftLN?w3FO&pY-_zkaks
z(N~{m{kTzBjV_fIF0BhC{K}VcZ$HKp{Os+8?WhPS^AH~rvzcHs&DpA|F3ovGgr63b
z>=j&^8mmi@OX;0#G!fPBW~v3;5Ug3>`kQ+Z?1%X`8Zdu>$)ahZsqPwQhe>B^O?bqN
z;&8|ijJCYa7Bx#PO{=5ZEbT;adRaBYv?N*+3Y-q&G9NDJU)3ggK<<$p;ttsd)^ka;
zT<8FILIg5#A%m$|0m(STDO}-9@iA{F*?(>aiE2o(5|Psq!w7ZI+$a%OSzFFWJ9{i(
zSj?|f;rgx!UgHSjC|)e4$~OBt8WkuRgrdXjsa++Lhh^7@RYWJg$IvQ^%}B6v@%nt`
zBZxZ~R(pr(gaxAsp%wwPS4vvfXZNd`FKOuu4r<gogk~)+iFE{KqqLgX^$$*n0eTT|
z%N>8&yvjdyFrZkkr4_?SI$1L_>`Kp8?t4V$G$&SVlU6r!>y7|KkK=lryj7U(wDeUr
z-pWMT&F%r_Ku;7t{pK=UxWSm?uAtbj=D&LaxB7lAlNujiaU5g!3<{Onr<zWq?_2V!
z?nny1ryY}`;dJcW5NY4<y_ne~hU-82cLJn|1z%hF33wE}yzKe6Z#=#FE*Fcwwy#T^
z&b^R{kraLb+oeU3!vx|f)s#Wu*ybV4YygjSO){{e9H5O!*;k%m>Aiic#(vU0d#g>b
zSaYmoHfxbOwgPLyW5u!uOw7#9xwBmD*~XGX_4e&Xw4r3@=kxFvq{$@-)9G6bTa(-4
z>{a~$4G`9t2JF#IFzrnB4k`{nZ5|{oITmUgV%z$b8#%kY-T~W(&QaOwgzh8aW6rOP
zS7{+$F=luj+wggA<2vb3dHP;yi*j{EX<R@UUri}~=Q9nDOvy$yWu8jIs_XF#Ui=9S
zHFygG!v;jor?M&jWV~U5f`h4&+{EhoLL?UltIwDw&fD@{z(pMcSe*WR#PFo#a{hb0
zgHP4A!JyEEQOi;AEXuqMlJi%Yn5sH1xP3EB;J31-p2Jj{=15eeZ%b(D8o<_n5IePe
zjqxc(j=r1hRxYpCi3jLVmHS_tj>)3&VYKL24qH+itjJ!fur5MP!_5hw8qc@qyE}ro
zZ|Qpzq4*D#2ArM|)`{I{*KS{-iN~f2KE+>6!X8H-Wo2{(eI=Cnoj0rBDjm&#T<^0l
zpehUxr)%<FJ@{{iY4H=bIDt8mrr9d{Cr$*lrqRuKl?(bCkLukz#$0l(7oq10p_@MF
zg$wu~c1J&WZ^XN-M?r`OeOYljVEel;z@G_}FW|9;q6s5;c=verG0EWzIGy2$xZb8q
zRd9IjQs5KHE#27*<Ne(#$u4n@Ti?lXD%sj*uf1!KAzPKH87JFLeDoj5K`S@imGKwJ
z=$A$J8#IxV0}iV$uY~dEGL(OaqJ0kiy)ENUzQewRsy$if^vNCdu(hJaYct2#5h6};
z0)4RiHKJK-$I<Laq*fXifWsEWy*RPhHL~F;t6MyjeIp#SZhNVUjJCC~S3~liOsMW{
zg2gUU?>cqyTU!KOI|OaJ#68Ezt$MM)oZ`)OvCF;8Fb?dAb(oQL1UxJKpx70zn57<q
zP$xvB)qjX(wsQjPh95H%vmE#AC(Qs<isgVXo8WM+x46h&Q`n;iK{0_$zv$7OqVy4`
zaC1k8vTHWe4o1}ux(>~taV_2Mz(bD+1%;0#f+3!1$8e^euuh@K#sSTXOn-z!mMB)*
z_GbNyvj_f27i}a&N6=X5>RMwd`Mv1y=O(&*ly<o>7OXP5s?1PkL$%zW=cHzachei|
zxp`^yD+yKagaK_cmTMd+a=?tA+dJ7?m;L6;&$wlAUhbRNL^*TXfo&+|_^yB}Dw!Xb
z?r$CTIDrv)ErEx*E!MBICYbnzUfF;zf`;g@dH&qoO&fGPU(phG!qe@#IZu6`O#=gm
zbwki;mCWqpDNv7;3kMMXf*3Mm`12JMytKMS7^>2GF15M}Mxj)6O5p+>rzAtNH4r0J
zEt!16KU|BALXAxe8>OyNXO_-_v~QHRf-=XJ%5kOM@Z%AhRsp6K|48HPx|MO&HufV^
zeA`HtxjjtFCj4W;q3Du+SD|g|V|-Fcpp~5w3Ey^s>D@m^dnlV@ZCECIH(_sVz+o_A
zKe3vGxMq}h>d7Ht<7D&zF;yw_KD^8m)|YzLqzGtS3G^3l&1D7uqz3v^AJut7^KAoz
zTq^S`i1$N)K1^2R_fv?6^)>Px&P0>qQJv`uIc%)3|B+{J+M0fzT=vZJYBI$}%XvFI
z>ZDd7RUkH1XYSwCJn+p9UpQ%upo?`A$O43vt--!E^0Q@&M4`(z{1uJ5b%j>q)ImNn
z&|T+eEZ34`eEmo>T1Q5Uind9%JFXmd>K@zo1g#CPQrTx;bK#{a-w6k9q#a8|{#iq@
z_0RSxbeoCi4i0&NfrwA>C5m|>{U;#qbq#2rkuLT%L>sDXV|)(trDxY%(;kY;B}o@I
z>pephT5pN)Fd;Yn--@jc$JHiN_P)6g*@RAst!Q+Akga1Fs1VFOIjDxVaAp=38?S~R
zzH~GxDPOu%2+`)55@&g0vSvPWqY$hB-w9g#JJN|2xWosKs|AN%bX;0PV##&SEXz2L
z`K9TnZ5;vfu$^0#CPDCjF26>Wk{B74%-ES*9mCVH=UClre9ZNHabd%yeNKnTc%|Rw
z8KJsQZe=#bjHx!%bOsHb0l<H#E!lrsZ!P=*g<2{|Q)Rh@It<mWv;wN4WVTO5^}#^!
zs+yksp9T)H%2sxXukUyf^{22JdKdKO79%9TN{1>QOfU50r;fcwy#7W_ND~9*_iAyH
z9BAqD6%o@rTTG6!wV9&Y*i6ujn!yNmmN)LWKD6gLqZMPUI1OM6Q{*jTJeJ{8q>O$7
zKyPHKeOiI}7ZY2Lt+o2<A0pG7?AeG#VNk78OmGg*i8O6a_maEoWdo>E%7E2{5yW7d
z3)@r=L*gP@rc{x-q<MYfBA<$+d4j-mDQi4u*V3;lZK_ADuXAmg39JfpTs=MFA|0py
z{*C&id5pDpm>EjUz&CP^KltdK2NT&5AuWQu%_4<$CTbc^2iuV!&aRdnn}!!h(+GVn
z+=v+xmb-_k?C_0)7gQx&T-J4bzS~a|*&a{L0pF@hv(vDiahc+ptiw8p%hpT|zK)+q
z)0dvhr9e6S%S_HyX1igpD~p7=)Bfo>h={ENK@;;$1HQxu_WfIjqK}&L+11vO>v7V;
zg1M^zytMDAljbfV^S^hSiW>I%#B93o97gvR;bn$m*3nCjVRQ8Xz`}3Ju+B{Q*p7Ly
z?8}_~C(@D`BRuPmrhWyO-Rh|LlNm+Gvp)IZRg#}kk{?UHkK^FChZODo-HW@k5$94O
zKh1h&1!oIx*g+?j^+&cx<UgAbn}0-~?UKLn%$>sRa*IM|o?awH9$!!ef>KlGiSYYI
zhySqNiJ@E^0v@ZArMvM)Xms!N`n!Wdv|sq*KhV~n;RHHS;{p+H23tp}v2&&?Fx_UB
zPvCCYpn4deyXkPXgN_XUdw7)sBED=tMv){&P9#O0^M#Q)Kh!FxZsPvT{nCi>h+f>0
zu}nQ03gG*v9+Tq#`-gQqlz5sFvHoA-QgOb;FjSXzYmZ79;Yax{afU~xMpAfiXi_wU
zy-Wz3{&X9Q2c<;KZai%%2<y7KpRg;Skg<^U)|l?I0?Vx@!go68GAehqG|+S^{XN<_
zMUIzQM;^u9n*lr$&Qy(y5VFBEl(OZskr1#Q9_cJsJ)~85jW9zNd5Dd%dWAl_OvEd{
z4>pl>MX}BHSv!lcg>%@qfF7S}QL5ib54DFEMb8(HPn8i<kOQFE06Sd1sBYh(?Yw{I
zCb-w$?lvwmN9qhjt^2KP+&*^M5u|!50y8{nQ~|f@)p_^o4xWlCT`qj~@3*77BDX$^
zBmz-SRA{C2tqVw7*~t)hds2DG+V@2bgQcV*c9PKq&$EL`iwa3O7I{9u8~OQ@1q!^Y
zYe>kie(R{)(ojn9m_|84=yGeJsCiH<rVwV7U$o(rsW{`L24w2SC=mMHCUq_Zrn8~9
zF8=Yp6)5I=`J{b@qQ3;z4|k7d)a4hY4sgX{0*m~0Z?P7Awixx3rW|t$1W(+@V>rvj
zRjI0Hz%kql*sry+77kI0{lhC*yicb0@fVmxrR*Ef#BEF61H*OS340P;zOxIPxryQk
zNVpjIpz@AddDbvxqHy2AQzMMC<#UTu=SWdt7TSo<=6+wXOD+10SS>t_iI&?B796tl
z8+oY`9DTyt*J;R{a(<CV>O#O&xF-wyGXItREv#!IahhOPu!Mk11AlK$^27~$)LaU-
z=tJHHY_}t8$d~$^o_YZeUIP6b6?o+LDF6tD=lVNY=m%qbShJTr4-wy11-ZJ_>H3*<
zxPiK{BBvkghG;fiLH5E^+&|u72hXFQLyD4ju!*Hg9?aDezH%h&Oyv(zo!$H&fo*h4
zWb7S45X`64EbW|+VrpY>=xs&QL|j)FR>n!jm{cu8365`)Y)60HM|r_m(l?qARFYU@
zC&N|j+d%5>tB=w5W2@5Cnqeto+LCIq<po`_732B<Pfc*byBYpk(ma$L`=V6rOA)#>
zac75Pq+ZSH>9@IA%Uwz7ZAN?HbOd7gFOr6xdtwqDIH8$N;?`0MG?5-f^X%eqQ2rA%
z5_iG6H-yJ#YHo&^BU8)LHk?3KZc7S3JmlPQrn)tshS_c)7IDj>316)$)KogB(Dk-G
zXw3W=bdH<wI{F?!^{saD^z7RnxRh1+!Y5_tzcqkNyk9++%ppKtw208t*E|aUn*v`@
zRLIs?XPPYL`zs~K&D^?dgvaA<b0T{8`woDSgQVJTE_NjaHQ|SwET|F;`-cCETJ&O2
zB%IL8aGFkXs-c3KW6*()>V2$y;22pHCKh2ARmu4YSGL$N#R+f~X33h&Me{8!s7Q`<
z4P+0s=55y-Ek+6179$|+&4pHo^@Y1y1I%2-D8wkvvR#<g!aB&|X=HHHZ}jUC3`u|b
z@8t`{<MA>#HW&i5aqIX=4kJT$*cSpCn$41_XJF`x*rvwacC(?GHkxtMG^PlN8nP|I
z2nq;dW^}><#wVDo2mYAWT)|ylzj)}z{0hV&ilgiHy^#64hMd}#Ov^oXf-D$_<Zoax
z`Sk{OT57+axAUb<nKkr!kKBgU;`U*cv>AUzyTL7SwfE~qiquof0YEhOel=_t6A&_w
zs2ZQ%xOg|+{<E-!C%PV4c(kVs{7rDa;wsb(dUG+Y(fTyJlE9Ky`{*vCJerOtFC^`h
z&C15xhO)a`gq<<AmX=XGN-A@9P2t(CW;NLRW%)A7m}OJ@GV6`VKeRm?CTiu?03Wp5
zPpsQS#TI^_B|W!Q7niDNIy>xgg&Lof3N(fS<%_@7$~FlZihd7yR}M*EL_|%az+Xmk
z!z0nI@gChosez;NKS^n!Mxn!ffB+Ssa;Bd~W0KJjFhr?W?6jVV(+HCwZ{ve5hQ>ry
z`%1avIs%KDF3ld0R>B?2MT^@6#CTNxMM@XyQ>K-p%EYToNR(z7%!JfIV<(x&Qc=s%
zaC6&RuPuh18rCV;QO%C@nPXT9%QHD07`ov@?gfSjBP2!Ma<60Atcly#uDg^}_(SJN
z>iHr0ANu>(8?(m8r4ecqS#WJn_D#n2gf#8#?fr^+LHlXtM-9&-^$x9bH$nuklo_(o
zH(0`Aie1GhK5TPCAa+^6t}Jnc{}8ffGd*zMVMIVu%~Br_Ht(f4IRx-^gm0wId$<CZ
zN#X-VYzFI`wxE6@;D84uSkob7f6RM5yr1@~o9*k=X=4d`a2?uPoE;(8w)>UTDMK5t
zvI(b8LX=p+_#7J9UAFzKI}{LvusV<@3v)5$u&E36Ed;`&e6D#FNS8vVE7WqYG$kgo
z>V-sL_0#DwfJH-7)h`R3AFvpSNn&7Y-nbF^=;NkH>T)Ff0sr=ruZym9n~bL4$(eCz
ze>ak3ll1t4)w)8$DZ_ov<=yHf7Q;@?rOJAzis2}T5cmsQqD8NrVsc;XG;~!*92ci+
zqp571hyzInWt<+wfe^690_lnh%u+{n?(z2jSqBAu7&a_NN|;=t9%p`AR<O$(>^}Zb
zR9t6`aT71%<S*`sbzQL5+b;xf5hrnk&d#h)4p}=D%1GTNH<-xGyFn-;DXX@VvI|1L
zP0(!v<tAn9?%e0W&F%#Esf19$zsWLqTrNK#mOpX^`>r7cTZ?T}(coN%9tB@303`Q4
zzVJ-)vIbA?`wZ;#*=~pm7YonvCK^6Q=`4%Nl^SJ49#E~Ay4sr987=xgGTR}cGOQMb
zi&e78sx!z~@|D>HVo;pDLh9ORh6ll79_dKa3miZmKGZ4aR>!Lz0T%boj4=`ihC4e~
zTu3_ctrM*VHfX0}TsxnOz$GFX8K-r?uyQLeRo_urStmHd>X-=imxCLEd!52;0f>QR
zN+xvLTERta^(j2oyUx9$#$hL;eoVDTn3Ead6nE4jQ>zcI9Z*Yh`i9UzJw`LVz@D^-
z7gl#5ue>6OC~bcFja*Rnhd0MZ`+DLNh>jHzBJ4Aor0%_#xjT-|=SQWg{F?C?okES3
z9qInbVPG+d4ZET$Ps_~z5+=86!7%!C&HkMb{YUA2mEFGr=K+x|6;r`L65|)Y`L&C>
zdu2})OW5kzD^dwPl4o#i4|TxVPU`n3uqx>njeFf4?r%RosqL@B6f>Teq&}i+k>=Z*
zf<KDyQ8JsK&YAAjown7T2ftTrI6hu-`%eJXwZq3Zmr@@=fr6iRE3hbAO0DwyQ;q7d
zG|rK0w>4u%!oJ@)&1g#dE*oeW=?()@J9wYi-@?JdKn(xTYY&Eh@yhLxa$v7owK}~-
z*F&euA}=G@0CB8i-yR}=9x%_LAmitYh}5~N91$dAW}V6CumqH5fdLHwPjtzNeAHHU
z?F8-L3DMRyFRuFH^;_#Ld_I(yS%Pr-#EQxJxgNZ~p`!+KRc)Qtma~e72kW=u`Zgk9
z$Uje8RymxtnSRBJS~3on*e4?vZ%dlxEVhZOnS;p9^WnbL;QmC-&0mUd-2ZB!1$d;U
zw*Wi|lD}D($v5ow4hrM`lDD+TS$2K_bXauGWSnh%#a(z-u8uy5G9IDZvlQGZ<TX=Q
zquz9VR}JT5ESQI3ZYCdnij^pJ^YC4b#%oSGjCy?PeXdnUJ9Fp{TH6Ltmd`~eC>}8m
zRj-HRH%DFV+<86z(S}BbuT$PgiT1r>^;-j^hYSTsk)a5|_IDhq3E_i=T=3YpZes;~
zVppYwR}}1RjJYYbwd%v~JnD^j-I9(%T(qH*GzSEcJrYIFapitXeHNA{8E<hGSdin@
zWs52I;Wu~d2GhA)G35}$(G6fO7NNlV2(Vm~-Nh3GYC>jljSVRd^0r7X5F^uxk>j@9
z)mP<<I>AX6pZRpyd~FiISV~hZkZ7N>-P4)w{lea^(~Z@L*gAnszYy;=4tr8RtZs#Q
zC}?NDtuLx;wCG?rWI>#LkEne;hvIR74xL;|kU~Bs-oH#cxTkyjuHC0w?;ho%6r-<B
zqsCh6Q+DMJETZUoWvBkEMi0P*?LBbR{fB%o?rQlqeZ_;L#+edNnhhvY$yh+q`a0QD
zK&<#Y{n<dUYM*qT_Cu^Goui1LM3X<TO<N`CB8^Lw*f<m+I3jD)BKGuR>l4lWt**~=
zTPoirY+hTjZo{O8N!@Q|E<39X<T<i?-*TG17*Zx)y3=3FclxU0?{;AwMRe|a;6alb
z{(K<5{rUM%9RUTy0QrAw#sB#uAfO;5{}cWj{}0Ld|19!<Gf@8L=>J~?5AOfsqbSQk
TLj6w)*nczpzo^0RKdb)*PiX~B

literal 11016
zcmZ{qV{j!vw`gNbY}>YNdt#ngC$??dw(U$jNhY>6v2DHi>iu}{-dneOS9NvwuKlxX
zb@x)11BXBd0Re#lk!R%8956(a?t}#ai6sI7!TPsq;$#MJF;lk^H#4`gvvRSrw_~(+
zwzs>~_O;*W!1?aW54x$1AkcF93+y1#y58kE)ekU5$kIa;Lq%^9-_RphA*<}LOZR>H
zBs|mCSbtdF2m?r1%N-0If2MxD1T_xW%Qs-M5aBlttgkQPD^R{h5#5K>i_@c?-y>yW
z`W5^&o{>lV5c5AP)!~<J%$#i9)%bAnqEBN@)TkO3njxjDH~FrYq}YM~Ep9!P%#4~P
zojV~+SDdz-&$EaC!E+Hj3uOt@CPBNS(0SC@5CGaQRb#}UJg!<-<z6Fw-~7?<8qrD-
zAA_Ba2WMw$gj=8m7Yf@V4-|QbXEk6c4%Tc>)nVUxp|e_9BV`i}&Y@UJP|bmVEq9NU
z$c(TAV+b4=&(xt|%e2Q5oq71=^Lm^bI&<siWNoq8{eF5r_3o())vE<Qer*ArvM;W`
zwY42v`ewHEYeO;Vk96CRFOCFNvO{D{SOHgI6yYC)8f<844Msmx68V3N9QTu@{Q&aR
zq|{`nPu7(J(jj*<N)vY_nHkbVk2gr621>zznb;G>Fwmdw!<z~;=zM{+E>#qY1`Z~i
zvf&q5L!j2nq8Qjh1>kx+e5Lx980LYGaq7&T$sn~aD&nW6oP5tmSjlW1!HsB%@<*LT
zRQJ*83*gK_Gf4J~ROJ|4gc%Rkm_135GmX3Tz>m+=AB@~7`uKmzFDC4di3}7C`#K>+
zI}D{|_fZV`SA*e0q5ApWxIT|gh@>=n+Upy%7f8l}PzebbeD<%Azu`nZz?@C;$`ax6
z)q^QQKn1~%@0iM+`E72wR(~Hc@xz4B?E37C4)H9;*Q=OOLkTp{hH0HT%ai+{z=EsQ
z2E>6ZB~7X0@1GukDqpnDv$WfC3wa6{C+eWkU-U#zSln>CIXO;gkOnRpA^t{t5{z3t
zT;3&*9-u%C*_R+TXpe!8D?5B91^A4Nn~a4zSyZstnWD3JSe<afngvc6iB#LRy5V8a
zT`LUN97P5mrrgU7gMcB6*TOi%5+essCnJL@(I=*Okg=vII+#1Pp>%UgMXgoIHyhQO
z60b7vJSHt=oPKzwu*F1}HHS#)M(2Q5!Wg3bC_r!|$U^Nrq>HKvia`7MyK=shkd}pD
zf)UVi`+fl=d(a{<j>wNuZFDX&MApD+p2*7>JUe|IIe1y;8yWneQRcBuJnorZPIbIp
zv)6$xO=fYC(KJAtOrli4V;Nv1Q-TjZKq_>yaWHG~{+>UB8Y3V*ZGOylz=OmqCHbTC
z&~#56!t|CyoVYYK4go<38hE)gEeVwSs(I*@;UOQ3kqeu3C*=%PpT;=Drk)ww7UV<I
zqw3uCDP-L+I%qCmLnyskH%HmK+phvkTG9)wMSU(w*n}IN-)A98Bs@o60+ZT>FRY9Z
zGaD^w@~mw7{2YW@U}_x5)VejwZvG_Vl1yP+K=b!g!Q0WxRR&%x#n_g3r9<XlhqYpU
zs*<%nRDAw!TuH~`w85!SNrR&rM^mSs?Iw;$V8GPHHc6{pwMQDY^<w_q!oF}$hh`g^
z)G<RTO&P;@<sG-xyQG>9;8jV>q%X}O70v%VcyNsq7!+epSSjEWtw*leQ=k`KN92B?
zL~CHK7G2L3)?esRVFnA$@!jVaK(|CEy|<ddh)mC{`yRCD)l%g|E*{hZKC_#)pJJ~Q
zPcWr)xzmN$)vv;~ZJo6&+;c<8zL7n-w?&uI=XE2fojWXXkhI4^?RSZ>uNAG4F87i>
zIp8Z2L^Qb<9Nm?H_Gd9%Xa7X^yz8-Uq{3K(8ZV!|h53YZjW%zh0Uwp0PkIU|o@ldY
za{*H#vjI3jdEjE!F@i&P#4P@X$8~UDx;GJ1Py8cLQ%(7Bk<%n&k!uc)Qv_Z-{Vs)*
zB$ZD6+cwykEWwdM*Baxv5;ShIdbQeR*7Ty0W@=XiH*&fn2f{0p5%>bmo6s`B1EvC0
z+?GqfZm@D)?!PN~)!(ftkC{ioU62d{p#YGquGPr;DcCn}{A{5r{p0_c8D~*hLRzQ3
z$XoK$g(C7baAH#qXD&h9v)m2c61g{#SerUJS#Srlh>eP`D;-9Kc97EAv|l-GVQ%UV
zN4*zzq^a4;P}*4-S^h9yERv*qaGIZf^2R=zjRf2JZg_Ha8j|s3vyBwu@E*dDIYdwt
z{HQlVy}w<7&y3nB#{D53`5yT7F4FeE9%08;>&c7N1~AW}t>^P8zEw7!C5$7G>=!bM
z$g`I)E&xzl#7vaQl&dm3`m}JVB?!@(U@pEABx!1+saZ9Iz{G5L1O){N?z;I976DW5
z3BktKJi<?K#K=7v4Cq*Kd+AO57Tz_{=#O2kzOGoE53vr@$OSECd@{P8%Sg59W#j_u
zSJpw{<EL4XgooQ%d-upbe|K|m;akOH19L9_ZF}v;{EL8F@y(s+IpD4CGUs3#)p=i$
z)zY$Bkq;qZv;8WH9#A7KluS--qJa=`>RO=a3LK;-C5)o8BEZWB3u&!Hb(PbkQh8=`
zJ(&yGtR+^08o~(p4uSXI5h$GRfpR+sCm{nX_0|k_m?J-A&@NXg)jq@l?jVz$QWM3q
z_<u^6)tM9}-G_!p%e<>XWTv^vAr$RPW3m~~^c#d0&zQ^2TIw}%N6NdhB^%n$IqY?D
za-AH<`b$|Kyp<LyljAR?KoQ=V7mJRc@J<o6EPkwd*kH_B@B~7)U6=P&p&^InJ(^Qr
zJorKemmro`@!Pv>5QIax*%*X$oxW)Y<B~kd4iogm8>);fe2=bu>*c7=m@$2JmKAT*
zw!cT@>boddKnhnIn9xepLhYDoa@C7dr9R9+2BY5t-d7uCadV&dlS|9fJDKQsF_gZK
zn3?$i%1*58WVrXIiXl1ibEQ-won>r&SHxyIROL%9$;gNLsm`f+HY+nPRB5fi&7_o=
z4_TaF%N=sP-yEHv)u#5@BncGpJ=}fu_td@}dS9;29+ksG7U$Qh9n}wvKBW=7CI)&~
z+Kq7U;-;5PYctk{A--A1<+fLf0>Ec{D-2*!9n{D*yz3uVv@l1<untsgnxZr7IL`YA
z!(1+jzzXoeEs^=hC$-R^BRDM1u_yChWxa4Hjsb;k`mq>w7Uy<4t<pDQlPn>cOQG4%
zwLcUR`MJyPd$uGOk`X25(bJD96&X8lU9%W2x-y9heU>d7uEvND%v+*%TwC0xh3pv^
z?R-&m{=l2=?ajyItM{$wU%6HMtw&fcT2{-rQ0D`yHk;rGc4?}3d>^4~BnS9kaL#+!
zL%8wso`VQ(6t4;joovEgBn>HrJRpcVL8(kbl;Q%VXwpcvf7=3EUSIy+jtGG&{}<YW
z&nvW6AqD|S`T_w#`A2&|fR)`(GoXX*Kj!<toTu-tx$(R0ALkh}_6qdtq{R}<w^${4
z(~vV%lkA1DYrBWi$I-_EF|?gHP=|q?`JYz;NLJ*rgl&Nk#`$8_a`&6fhRw(2wS9dg
zru#yfY=vsx`z&i2!?!U4SC7M~SBr=jEV=W<SL^;1D3`o@KetVK2Nb`hY%EsRPoMR8
z?}vEOyyeQ-cH*p_kuafl>|7drso;$}9^)h@;lMA-cD4q-BRAA=H|hvXzWs;nJB+Dr
z$zvLJzkH<0_;`;gJk``LLic);XO)aC6Na0VSbvZW+FVE+AMm)~PLal|IN7qf;Yc!i
zT2T4Px8)J_ZBWiId5FzkVG#YEjI+i50ndsTLB#7u|C_$9ztuyqcvT>pj0t-paF4xb
zmjdDUEri|ELNy}+AphD{Xs=aJJS9}-VAimRITHwUSH~i1O^bp^WMHAXGk4;~s~^lD
zkLe;{l{ZFJK2uE}CdnMoizHB}<rakg(~$A;UV1Uen;8;$t)sm3mZ{UXo_HRje7U19
zx~=vXlD@1hx;Du}bi6On^w`#%Z&5Y)gR3*gV>-kmri1;Cv0y?4UD5M4-J86&fh62_
z<lCD9tA5h}uM3l=gE&_Z<XOZ*H{1RsgH28vq8+vDMT!BIEKLGiLQ>d#FtRdm&@7+#
z1=yU-@@KiMtFN>7vk@@=rdNIZb6g*I^k(oV0ftS26`sDAaRJ#T6fY1ya5fi_L^cyC
ziWz6@1V*|Gxi|`G#;$0-<cuA*=eaZJmag3*PaD5OGj5ZR<EC106p3FErkx>9yNBg=
zuqKvo4OZu|J3F$BUkU6wo50D{&ruQFY^G5Y+vc9od{5x)Y0cbP+x*g^{gzFzH&LNb
zx0O;WMN*ac0f}la1TVS$GJAQxRq_b;{1|A{-jcWv*8d3NAr$izN?32*Q&zLBBGFi-
zs1EmlhCVFQmpJcrVkfb-GL=%<U2oCgCQY#+6oR`iGwD@{-ZX_c2g%(Fin>XnLr1kJ
zL&}s_u5ch3I%VlxmBptCC;7&XQWi$~XE<-NA{c&YWl3*jlQ+9Js}kszWvyFh0(492
ze`hNcU2b1j@b5N8O$vUm<T9d6b|Hu>o>j<6$v&_&dCxftD}*yV-b0M@Zf-v1&HjKx
z84^MnN(cVbI95k`XpGR%QP6$RY;Ci?^1L$z<DMO{LBeltdO@rjai69Bm3p~?ZlAXM
z$4?#3T_p(G6;)3u12+nt!sDh?_NG8P2pUfIW*1TVrl1r8YpnPqzQ^v|B1HvqGVGz(
z$?!*M>N4AetfFv(M_}WGuN`jKhqmpX!-hDrSn!q7Ir%9h1m_ur+;|E#DGF948}<2j
zPTETT?ehk!^r2D;(MD};Z21G)agoGvxagucIz^{Q9#;QTo~l`4&$!a2VHZtB#c75u
z;SxNFj45cry?M!sT9ostqMN~B1@?0pRT`8<PRXaq1^&;0>D|DHcCF?J1CIw*I+|y*
zrR56p-AwX>eSAEkm>gR(KK)w4ixR8drWFxcWWU$@Y_Ac&HfOtdtGVTK`Gm_2p|XXb
z)<D2WUYi;_P!MZ#1Vs<|Zv_TPx&i;Vu_l&rVdSrTw0ENoxW%)>Fz5Tk?v{Kfi29^C
z*4`VI9ZA7oZmHer8=1%Usb-44U(=uSp++3tt*gHj&-=*hd~J>cW%L$s=`3S=*mUi@
zWD*t6^Swbe*ZXDzB=hdy0iDvJ87F#VVb9&0IoQ!6BK7E!JZxcPQH%G+hV(C>kf=kZ
z74MF7Ak3XNws%Q!KnumE-wvS}eAyIYJ0@sZp{2F-FDlg4r;-0oCHJ9;wm0LLMM*N@
zivXXjw*%AZ4+r_O6qW=F!n2|R+M{7N@e4d#E8&aA*g0K7$bAG?SWmbemUXw&S3y8Q
z*{i;-8t3m_QFO|E*gh4+A8tY{`NN3>%*t@s#&F{aMPET*f%C&~yMMm!u|h`NcGsDq
zv9}iE04I!Y*d_?s%q-y4>`?CrT%;9BgD9E7dT17?UWgRBMJX6DeB`J*?cF{<UO~#H
zG+~ad-vwhpsr$28+y~3A6f6Mb(#eWBNCMf8b@7azVp1teSm!>{no|h55E!K}EA}*@
zaOv7y(fC1GsfzKg$h^HPfk-VMsc+5Ox7#w;6m`JOVi6@;v>q=HmrXto3xdH=mLLAi
zZL^$ORN*u6HN9(-&mlQYSLAti&V(6ZC=~m{&X*t+&_DZ|xEbca(m0waH}e#}s6Z1r
zEq^|;z|zzs@Itr*Mj8J?0APfugP#_A;2T|}Xg<===i0#F<NiSeN;<|k8}R2S4hf%H
zX;m%k65)&qg0!B^y3aBu9Gt2-Wx*buN;YQbVW`Bxji3GwbA-?gt0szFH04~C?_%ev
z{)iMHBCn}gSn%@Sh5|OR&R)UN5}b&pc(`<l46liPdHGBIG@*7F;_*CJIAu~T?u4-D
zrX5IJ+YXx33tIidM?Du~OEYM{(ojET97EBQ7~@BGF>aM9Uv7l;U6hk`K$E$i-{usu
zHJx>*g<K?sGvk?fsXorY(BTfMwh{h1ptB*DV9?1EF7HJj<(GQ!D*;;SD9$5sgX}|2
z%iGeB!S@h1K<EKlKF)F>q-kV*ravN77s+iiYALW)%W>%fZsY#4@EBa5R*!K}-)IcA
zjHnaihsTB1TW$RK*b@#1dN=F4EPIw0JOQBDVhoOE^h>L&g`--3L~9UQy;awHF4Z=j
z=q+&6NQ~VdE?e7HV6fTI1<0s^9HEi0+Aojt$#zS6mUU?dXlb%ClU@*3)z?1?X?`kQ
za){HVm(UrJe8-o9t+m4jx8VNfgw#J<XfZVtK{LERR|guhaXqX;EYEz#PHO_-a|!yL
z(Sb?MmhA5Q42s9jAEJUe%Ag%%JQ=G|N|)5gzw!j&leKKXbQxa?v>Q-!m4BUMed`oZ
z3Eb>@cl1dS^^R^?I<Sg}7&O@r0pK^F={B&v>L6q6M2I#f8l2H+>~oSwwk@rGvl(#F
zm^D8QZONqEkmL-zv~?MJP`B~vy>k0#!bj6Ga~UM~BxRHCVo^Pyl#;fI4+=)<GkTJ^
znd>&_Z!lia;MilW{zYwfm_185;FLObyJ6=>$V=1&#Nf4g7)J|WxPS9#K!syFCLo~k
zF|9JN8u9&7KQM!gfbuisWaL*yk+%`}JhL3zkOqhNv?DqiumT@E2^bE7YNvQDYhw$9
zUA{5$l*z(Hdtd<pas!Y7W^9V6$c0MI1wVacD%U4u(<#BJ_rP%0qo@ew_*^bPVCy)C
z0RbxIG=&49SfQX*sfcT0z<^-HLL2NZB1%SE^lFNdEOOwfAaRtpV;eR@f_zjl3_GQP
zImSa7+Z#SCFx(LYWmbiKyk1#5YrYkH>YQaYw;CmgDZB}F3Kogt<SuDMRdg=WY6_!0
zIzloJ<_>Q^ePOx4WP54oi_x>&pWdu~heGO!XDkuBaf%{W{sK-m?)VmhHkFLbNwq0d
zB>jWwXC@^*=3_uS)611Smys^L<Itrl+M`WzWv^Ev(3ogD3p7?+*AK$!aeE)R=`GLf
zb@2gTW0c+rBaRHI4cxf_xO7(}DB0dKOUQk)C`IX)3`2<rN*0nn)(Yb!K?t69$G&7g
zWB%1cFBz{JBebOi-2Ia@!4ez!n8oelQpQbrHhm=iik9fRMgY!{Oj1GX8Zxu>qfT_V
zFU|O78@-L2{p@ghT^mVqjqd5D-v1VK5~4lr?c4h}>SL?Vy2v5cAn9J6Z~D`Lb2Q;j
zPVsVGNBs)KZ<4R6ODC1SfKIA1u|xpVT(6QGrHAVpVhY&qN@W1&H?-<t@ZBkv&}Fp(
z$A2|wJl1hS8$cp;lpJV)LyEyEZw0F$QRt@101&Z^qLbBcr6HiJW^?k8w_OR{0!YBH
zDTymvGL_KQxq1BT<1MrgX<_PszkfYBLw<*Xeb9SA7hlzdtKpYig7;1-Kt7iYw-e2E
z{u|4B7Fin%PeBg91i1oJT9C#MePI2~40SjCsvWo~4evIF?tz4ai;8Rv5M3%jzQPaI
zWlNPx`_p3P2CpkXA43bX?_x@TiqoRQX(oZNjX|}$pURLU8Jk4wTf-hl5wGoOU!6V7
z``lW}QR7;I*$@=1)t~cN&9GrKuA|e4yKT>GKsi)OuZbTDn}?}5$oz|CU;U)SwlAt!
z7*9iLL1&}2VoPV>jsGOc-CCP<pbw?CLdM0?ty8=0w2^=+Mvrk^^)h5`6|tvpxKTsH
z0rM@7P3W-bW6une#xpHc;=;L`&rF~WlSU^96UwYzPW-jUNt+|d&L@jRQxrewId?1k
zVJ?`cMr6meb}MmTN9gM6%W^L8e*dbN=p-JA2$9yj(NV>tzp5&ScYQ_#rs_vDF);Q`
zCR;2}2`q+(X;6G^$Y6?!>kQBkx^6KJ{}~&~TOkN_7vxL;boTVj6nb~<j|ox3)o$7_
zAee|0E|p`dh?kCf;@9}4(UbJ8U!VZX(+q}4VRm88Esx>FQ0u4wLijkWsaQ(3h=g?8
zwmSLz*ZQJaT;R#6LlPLHP=JNaHVU()J=Tr0nG)FlXNF&$%hXotG&&gSvG}|>bkDpg
zQs*)?PJBRODk0LSG`uYaoOPD@dsj>Q7eaFNQVv5)S>==$a7|IIEbDSL?r%Vrf?PAL
z1ads|WPa6r25)k|v#pR?UG$mArDj|C$_dEd36$bKb>}czRnRbclL#SP+CJ7@S7#;I
ztZI(CSPhA&bJ!hd4SwbdEIo}n_0JvLVXvX7eAF#$OC<#Ac!ByHP1rcYj6Bes4&_gY
z)>SUvYT4x;#0<}IWhQW@?>l&B3aH*+B;aS>+Q>c_Iv?AfV01Q7loNeHBV4*~UU2>l
zX}*ByI$gYC$oj@jFa74yy7t-DwAU<#JM~)9cX_SPC+ttW{v)PZKvm;Q>Ys90Z-2Vo
zSI&Z04lO@~wC}<GyGP<z)f-bsWgk4|k7KZb<2Gqek=kJcO~J@k<mER5qnhgR6+}6G
zoGhDR#TBEnYZ8q&6S=Atp+c3SrywQM&1@=`Dp)Nz%6f>zm7vjkB#-65k&S?11(wxw
z(9j)tY#$tC55BPrFy%GM26wWtZqQBrA43=$9cAj((DwBr8&G#`;5LRrqf5a}=lg9$
zbgfckt6ef9{tCNil*+A+TN=<R{`$LCLzS{<`t^|Hy--sAp1UV*%nh=7qH-^qx+j`8
zv(9u4&Is%mZv9iw5Q}=SFuD-%<`ASDxNGyMbs&m%K^dDw$ak&5@mS<rxTYVe!7<sj
zQFD8i0EKm}B=Z}GP_qt}hMP}N*lZ$dpcORc>=m%T56-%j3HzX%xTBpHb2+EH>hSbf
ze*%+R%K}c%0<LGkHZb@-hryv?8dJJzMEp3*W(-s7Z%K?7&F&roMt!1Vx&;3P!6ix)
zg`NlsrdJ}wAOV|@anm$m2bB0GKv?`w)-$O$@$0Ay<Ga5pTk6D=apA*HOj$?R0n`Jc
zs}2}D0lev%i%Nw&;|tnMD2wd~zdJ4Xbt^;2W<Lb&$;PeRsj15vI0WT_))uF$HdnjB
zf5A8Lu`2dt6*)Vuscj+Nqc+jY9T8E(##qL&f`f%8**)En;k%53b&cy$E`C){x^Ens
zh91AVVy0fXw-TiL&N=jGs+CO)Pv2PU?>@{sM(uogAi22~jSnP?l#PPIjupQ8^LG*M
z9?k+St<Ms6JF)ju(-vuMp_fYv|Cb}a!TgD-sBd4guP;+ajSnQ$)|$U(#g&EOo@6Od
zPm&Iu3n?|cm^RDUVzlQ>Rq$(k_y>HYq$^orCj=hN)FL3xcG2l%4D5PeHzBq^NWE=-
zy9Q@AN3KMe`nJ0cO&x7~a-jC|`HV-*UT7~N4x>NZ|Fe^S7R`Y@NAi`Py01!M&0i<E
zbn77se3WzCApPPvY<030P9ex$8#$s`a~D#m&EtbkU?VLmVze|Nts)8nDma>#Z%B-}
z;F0cq5O1F(07a%kn|`7x?~nxV@4U#DDd1#-k>aDnH{jUB?LfW*cFVS8*!(sH>=1h-
z(u2kR1{67c2yR$Ja0fKNkHV)fps_9ZlM5%jgLhh0o8%^h;7ZG65h-$s<oyRH_N?6Y
zAZC8jrq3?_4!Pjg(P&s>(IX(nS4#UrGn`nVw?CUwZT=dOur!=*mS{zR-@2oq$*OjF
zWG;I4?5`jcJ}}=_u9{Tk2hQcD`0xXDe%DmMGJgNbDom_62CW>o^E7L>ei7p45=*xW
znd$}gU14S?to2|MHXch9P_-isG8@j-HAv#tYVxI{VfDL*-Oa+$v2VzTYUn`ld;Kzd
z4=$Q%G99+Gi%z-<Q@BcfPmL=nM`b@eGzqi)P-FWp2sXy7Hha3f!qrT2hL-Cuy!^ma
zP<cqv`I2h}wCWP#l&JkL9yT^V+{Z-nSyY}7Gw4_|Ty^uy&#v{$c{xJNk2Ax7tY(UN
z`K+O`Ba+Pt+r(hkwlTdu*EZ?i176*O&lyafm#$`stO20ut)2=-e=XiPruNdxzb#%}
z(~<gr$vy*ShhC?)iS3Z<dMw_ij$P5_@$}1vKdXI<o3D7iO_K`^D7_Dias`}lW{k|H
z9CO#mqJj0zQW`&}5uVN`2zj(D;%&zWJ-w0CYMN#0i1Ipuk(4%LZIj#~sC}rM)wfaB
zw^5J2rcK9s_$HpT8}85HbN<B<haM{Cuj&5G?!M`M&l%wlcRp|nk?x<tHwZqhP+RSg
zTkVPS^-y~L&OAo;jDgEjfq$_;hgSHr9KCm+IZk{LybOc4u|VXR?n{=Yg4eGpGCna^
zOaTpVxFx@!D)Bs9noQBCeOZ{_7y@Sd1aCaSPkbC3JUPUBR8w*4+x;b7MQ%K32&@D*
zmjYON`3i0z2X^Jmu?RLVFN#*znBixlBPHI?hl^Iyw9xsRo|7iYKb`F7!)Ot!y!PH1
zOyL<O)Z;WAT*APkcpX>kJ=CtO?-G_Z$B<AofayUG&{_>n<Ll6>vbO>c1WTQ<n_!mR
zW)Bn@PFIyv{HxCs8y_58e<As*{9Z#DH~9{H^ludt5#5!9sRFCVDTk2T#2Wn5uCq`A
z<xXJYlX-o*PZd-^i`;!h0KtMs5SK|q7t%t$qw>5pQSE=^2NYSpqOu%Pu5b<o^-)0F
znf00g+YJ@+JwS=S`f?#^-sSVz=CYDqw}4>MlD09Gu|!`w>b=MXDD1qkw{62k0py;B
z+viHrtz0{P!L9xZ@V5DLcXvfD-f}#`3PPxML17VeqL=mX3Dw0tEIldpejERHAmIXO
zdQ^9@DY=LUXMB{rt)!3r*~ol}Tt2$T0a$NP!W`n>9JsC*ELr>;BmImmlppAY$e=K>
z7i)wJBbc&q(J*y;KST%8kWMi<Dii3Sr%zOO`L4(=fatp?EUx4IxBqxFPPA$Jut3P$
zhvaM3E`{xJqxu^^r+&?^=ZtnS#S0XQCbOb9eql-^?mfS741u_QD=8S*VDBq<zf&8=
zbrh;%2owx$KBj^+KZ$FTpFLFTYk0BZ4M=>L;K3qJpSsvlw&ChA(3o&244r}_#QDKf
z@v|{RC(oN70-A02S@lI&F@t(*DT1Ra5lmdF=m!t5xpyAhvqESU5(Rtwz7Hzsr^Of=
zmpzX;&RI54f53#)*&mT$4+S*sk8Alk_MsyCm+>8y?I@Ap(Fsoo-y-uT?=wK``jyFo
zFG%`h>@CSe)fzU-jyRmB{@m)<9S>KiF*#~ZQN$z$L=o>NfRR|_k?mTqnH$1K5y?nL
z2DDW&uv7ZCr#B!`n_uClBp%-oYDej!ISA<5adwyEX%?s`+c;7bL9DAXCWOjH0xIR9
z1*p%6^&>x@%Kc%i>6QTa0OEB<5qQPo1>B5*N<{VmqLQCl(0Dnt9U_IMZC~7`;&^vW
zGsV;~9@;0hMU(%o;{!}X^}Ld%_WW_wk_%hz9Z1JUDdZ9DZ73DY4?+BTC1P*Mm%PM7
zLga(1td?>ehXM5{&Rr}gvS;4EB>s{g6k{Igh5=AyBq$pidQ_2%Y>8ltM{Rlz#djT3
zNwRi{L#~)1V0zW&be!d=ZZ|dI;)^%2qIBth(INean^pDgYknU>^s8H(@5A742JcI4
zre?~uGgY}^-VpIPBoGgjv8i-`#z~F5PyWGJ!Zln8DHf)qGpT0Lmy7>?Nkk-5c4`EN
zO(PxD5p-`5YN~{86!b00EWO)BjczxJHDk`vY{os0hP&^Hj<#=-d~<iq3?>q`1B24h
z6`WI%eqcfLPOJ^zfe<C6+Rhdqtowvdw$4Zx-N-Gv+iE10PP8GCUX&Mf>}ty8{kNk~
zZ8nA%&qlu62+uW(V`g1gH)lw>N5WnyUlKeYkG;mwZgO!MtA8H@t=FRF-N>RmD4(68
zBBLrxDi8XK{y{lkp|EEC$|1Zqi)-w5Jdrz8A_68%9Y8eg9=P<w;d#O+ZvAze3KNvc
z*yd(`X!>e5{IW)CN$^_82^T5tIV4Jqw(uIW=IiP+FG7_`T~{!~c~~rR4mSQL!vb<S
zdYG+4usZ^ob{e_|noB#il$2Z|`q--!YVIVsMdo@?n70f+k8UI(m6TU&(3Gu6H>GRp
zwE%~!m<xpsgZ^2HV<A*3(x#27<kChs_uWb8<-I^@t<L^x@dHa8=F?^PwY&XxkNV`}
zHch>VMZ<>Y?DfTy``)$pi<rW4Sa<@F+Eu2fg5SK%U?jJ!PtccR7j8{ZAfky64~wmX
z)|<f-dTI(m05KI0u^aXR$Zwqy)@>-=CFH$0=jA+*?1M!#?i=j>S{1nt3iU6K$WGq1
zveq#T2F_T$bNmRDMGyHY-QOF#a5=2W)=&ZhrTF$y49j)%>*_k)vaX3i^00@Z;IZ2%
zu;DKrL~_1Rwx}p-Q|5^9+4>p)9-;Glo2n|SZ8n8RBa2zjo14+;;A{6?q^)AmkH>b2
zRSq*eKF8h{8X@1Z+vPmCK5l}1ItciE`ooYmrA)E*D5U&5@K7ZdZ0?u&z2f1%OGS7)
z3y3r$IzCOY+2}dhBb>G@F-Wv`<Jpe~guVXX0aZtX-+?!>@sQaWhemOM_l+K=^gRbs
zy7}=;g-_gfo1*L-F@N)q?@sXI2mFhJ+FxoQ9Sg>6aO?^6e0$F5b?MNeSS7AI_}YU`
z?Eq9~U;|oDld$E@%>BpMg6B9od&t2v5_!R_*ydBqBM3BDI79<RzuXns9-1wW;8c#w
zc=UZkP&?=}D;mYp)759PwBKoNVrN9bmOOAmf1*hP5as3ecm)_5!%K<vPCZ%95k4I%
z9EOU<(RY?Gj8d!B&;t4rRNHxnOnJ7{WYgg*wE_nQER22^dK~DZ6nzbJGLhw;gESVk
zXH0VleAUY%moKLjUu%r*=?M3IKJQckX1A0u@I?@gsrYqZm)zKTeW7$XE}EimmBekX
zPH|=2(WJZbrLzc+0?5LxcKgo+L!FF3y6ZcoUiXTr(*)R+4K?l__t3kQ&uyrwT!$C@
zuzn6Jh1fi%AiSullX5L9(O5qtg!=cwdD)I8m*cLcpBLr#lOsrw2~|>U7PTy@Yg#BS
zkezy^4bZM>G56W?IaEU_sW&wWYwS?6H`Mehp1ikGJa9~oFCDa58xLykEpD!QyBZNT
zkvXHP3r4GFvI<hsQ@D5Wo_6Qmp*}8&c3$YlmEHQD9ra`%C1Tg55i#pn=xeCwEHyK7
zS#1~(nguuM<6>{;&}lC*V$vhd-(09|RKaOQ;Q3k03LG_0im9#S3ceJDWm;btc*oJ-
zOx`WC$enu{S+d%jx){E%c>Ez!^=0*b3K>zsj>*3*fmZUm!}1g@pAo-+$^S{HdN)j&
z91)jiz9IJNk-siYBVu+e;(_B4L(!q)``aJo_FiVjFKp(~xIj3p;BVw;1gUxWqz|G+
zTnjWz+3Y(^K7C3hR)O)e3{u#0375AU?k>8lm`(1cll}GBx)A3<`=-#BT?6>mV4r`l
z;3+|w?|ls2ny9vQA$?-M3#!uhIq<~6Urpn0%=1?9XWuWp9uHqIgsXCk+#9h&s9-RQ
z7aX7Wmu{&UA`|XCn$2mi!KNmrmp|UY--F-pH&oq0_RKwTwG=xca=WWTea6SPTSi2`
zq`;h+{31^3saG!D_9jpg@V>ySS0=N36qdl84mts1q^bxcs~$1lc!{*dBom?}YgSp?
z98<{NzA_eAlRVyHndW^N@Xe%vpZacV801%8^W$eVnG=BDYmH`A+LgkhMBk6S7FnFO
zg-PmP$?_ID4UB|zM`D@%H9V6BtU@)S*~@G=yXP5(m+aM<Y4-nKwIfpbP+yJ3F$)+y
zwdGIK5K0=`0Hs(nCXmsgX%OjUa_FIK<BDt-4KDn`BR(CZ6iqrUgf%Pk)ldKVRbe!L
zDW%V6`fZwUHkjfaWXLh``F80%<%9=&ZdDd>zWwx(%OI+W!dR?0*kQ+RQ#=uQERTFi
zw#w++0Q-By<ax;R4}$l22LFjWOowN8t}Wxo+_22xO$qI-SzfhX6^A2c;7|&+ZfD=f
zaf9FSut1XbW&?Z~*TB$^RD=Eu$jF6=a@9A8Kl;tuh=XJ6un-6}As8cI;saS;6@Jta
z5LnXbK}-kEqZQe&Y))^UC`RkJNW3(M^RwM<-G=+PGWD@Y3bF8#YO1Ja6BFv^LQ8Q*
zb>oY85SO;r2A=RfXT}{Ic=fpU-Co}%VaoKYJ-*hu3n*WoX!bwSIGos%=+iAB!Pjau
zqipi+0tVa$3i-D@9vq%v{S>LMD&}`))`9MH?epr1lV`Z+?tVXie%W4si~%2LgWXyO
zy8eO7>1Op-_93PpFqS8E2<*D-G@Z0xfy#r69c|y{F3p#0$(XH@A64sh6A<Z<i0@^h
z=X4-JFNir81D+@?k>?}W;s(WIRw^n5$;bh7Bc;y})od6n-9cjRKy%Ez#(mKJ@S&^G
zI#(T`#p5|+UEUDuY1d#O*ox3l(oBw-sr{?-?dbcTe*g-G4*tLUrvD^_|F8Wo_UV5w
j^4~Rv|5xGapUV0_qy}X<NT~m$fc@(s|3*97|IGdm@K_jv

diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json
index bcc2a5fe8d6..476d71eba35 100644
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json	
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/createUiDefinition.json	
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CyberArk_Logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\r\n1. **CyberArk Enterprise Password Vault  via AMA** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **CyberArk Enterprise Password Vault  via Legacy Agent** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of CyberArk Enterprise Password Vault  via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CyberArk_Logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CyberArk%20Enterprise%20Password%20Vault%20%20Events/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[CyberArk Enterprise Password Vault](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20for%20zOS/Installing-the-Enterprise-Password-Vault.htm?TocPath=Installation%7Cz%2FOS%20Credential%20Provider%7C_____2#:~:text=%20Enterprise%20Password%20Vault%20%201%20Install%20the,applications%20and%20create%2C%20request%2C%20access%20and...%20More%20) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.\n\r\n1. **CyberArk Enterprise Password Vault  via AMA** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **CyberArk Enterprise Password Vault  via Legacy Agent** - This data connector helps in ingesting CyberArk Enterprise Password Vault  logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of CyberArk Enterprise Password Vault  via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,9 +60,10 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Solution installs the data connector for CyberArk Enterprise Password Vault (EPV) Events. You can get CyberArk Enterprise Password Vault (EPV) Events CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This solution installs the data connector for ingesting CyberArk Enterprise Password Vault (EPV) Events in the CEF format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
+          
           {
             "name": "dataconnectors-link2",
             "type": "Microsoft.Common.TextBlock",
@@ -72,13 +73,6 @@
                 "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
               }
             }
-          },
-          {
-            "name": "dataconnectors2-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for CyberArk Enterprise Password Vault (EPV) Events. You can get CyberArk Enterprise Password Vault (EPV) Events CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
           }
         ]
       },
diff --git a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json
index 98dc1e873e8..20723c1bfe6 100644
--- a/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json	
+++ b/Solutions/CyberArk Enterprise Password Vault (EPV) Events/Package/mainTemplate.json	
@@ -38,10 +38,10 @@
     }
   },
   "variables": {
-    "solutionId": "cyberark.cyberark_epv_events_mss",
-    "_solutionId": "[variables('solutionId')]",
     "_solutionName": "CyberArk Enterprise Password Vault (EPV) Events",
     "_solutionVersion": "3.0.0",
+    "solutionId": "cyberark.cyberark_epv_events_mss",
+    "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "CyberArk",
     "_uiConfigId1": "[variables('uiConfigId1')]",
     "dataConnectorContentId1": "CyberArk",
@@ -440,7 +440,7 @@
               "properties": {
                 "connectorUiConfig": {
                   "id": "[variables('_uiConfigId2')]",
-                  "title": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA  (using Azure Functions)",
+                  "title": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA",
                   "publisher": "Cyber-Ark",
                   "descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault.  The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
                   "graphQueries": [
@@ -515,13 +515,13 @@
                             "instructionSteps": [
                               {
                                 "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
-                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
-                                "instructions": []
+                                "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+                               
                               },
                               {
                                 "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
-                                "description": "On the EPV configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address.",
-                                "instructions": []
+                                "description": "On the EPV configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address."
+                                
                               },
                               {
                                 "title": "Step C. Validate connection",
@@ -599,7 +599,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('_dataConnectorContentId2')]",
         "contentKind": "DataConnector",
-        "displayName": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA  (using Azure Functions)",
+        "displayName": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA",
         "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
         "id": "[variables('_dataConnectorcontentProductId2')]",
         "version": "[variables('dataConnectorVersion2')]"
@@ -641,7 +641,7 @@
       "kind": "GenericUI",
       "properties": {
         "connectorUiConfig": {
-          "title": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA  (using Azure Functions)",
+          "title": "[Recommended] CyberArk Enterprise Password Vault (EPV) Events via AMA",
           "publisher": "Cyber-Ark",
           "descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault.  The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.",
           "graphQueries": [
@@ -716,13 +716,13 @@
                     "instructionSteps": [
                       {
                         "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
-                        "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
-                        "instructions": []
+                        "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+                       
                       },
                       {
                         "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
-                        "description": "On the EPV configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address.",
-                        "instructions": []
+                        "description": "On the EPV configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address."
+                       
                       },
                       {
                         "title": "Step C. Validate connection",
@@ -779,7 +779,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## CEF standard custom label functionality has limitations and to solve those, here are the field mappings done for CyberArk data connector. Refer to the table below for further context.\\n\\n|      Old Label     |       Sentinel Label      |    xsl KeyName   |\\n|:------------------:|:-------------------------:|:----------------:|\\n| Safe Name          | DestinationUserPrivileges | dpriv            |\\n| Device Type        | FileType                  | fileType         |\\n| Affected User Name | SourceUserPrivileges      | spriv            |\\n| Database           | DeviceExternalID          | deviceExternalId |\\n| Other info         | destinationProcessName    | dproc            |\\n| Request Id         | FileID                    | fileId           |\\n| Ticket Id          | OldFileID                 | oldFileId        |\\nThe workbooks outlined here are simply examples to get you started. Your enterprise's security view will dictate what fields need to be depicted in your workbooks and Sentinel's ease of use allows for dynamic views of your Vault activity.\"},\"name\":\"CyberArk-Workbook-Notes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where OldFileID contains \\\"Error\\\" or OldFileID contains \\\"Failure\\\"| summarize AggregatedValue = count() by bin(TimeGenerated, 1h)| sort by TimeGenerated desc| render timechart\",\"size\":1,\"title\":\"Errors within the last hour\",\"noDataMessage\":\"There have been no reported errors in the last hour\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Errors within the last hour\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| search OldFileID contains \\\"error\\\" or OldFileID contains \\\"Failure\\\"| summarize AggregatedValue = count() by DestinationUserName\\r\\n\",\"size\":0,\"title\":\"CPM errors, by account\",\"noDataMessage\":\"No Accounts have failed rotation\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"CPM errors, by account\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID == 7| where SourceUserName contains \\\"administrator\\\"| distinct SourceHostName, DeviceAddress, TimeGenerated | summarize count() by SourceHostName, DeviceAddress, TimeGenerated | render timechart\",\"size\":0,\"title\":\"Logins by the Administrator account\",\"noDataMessage\":\"There have been no logins by the Adminstrator account\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Administrator account\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID == 300| summarize count() by DestinationHostName\",\"size\":0,\"title\":\"Endpoints most connected to\",\"noDataMessage\":\"The PSM is not being utilized\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Endpoints most connected to\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges !contains \\\"PSMSessions\\\"| where DestinationUserPrivileges !contains \\\"PVWAConfig\\\"| where DestinationUserPrivileges !contains \\\"PasswordManagerShared\\\"| where DestinationUserPrivileges !contains \\\"VaultInternal\\\"| where DestinationUserPrivileges !contains \\\"PasswordManager\\\"| where DestinationUserPrivileges !contains \\\"PVWAPrivateUserPrefs\\\"| where DestinationUserPrivileges !contains \\\"ConjurSync\\\"| where DestinationUserPrivileges !contains \\\"SharedAuth_Internal\\\"| where DestinationUserPrivileges !contains \\\"PSM\\\"| where SourceUserName !contains \\\"PasswordManager\\\"| summarize count() by DestinationUserPrivileges| render barchart\",\"size\":0,\"title\":\"Accounts most accessed\",\"noDataMessage\":\"There have been no retrievals of accounts from the Vault\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Accounts most accessed\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (22,24,31,414,416,418)| summarize count() by DestinationUserName| render piechart\",\"size\":0,\"title\":\"Successful CPM operations\",\"noDataMessage\":\"It appears that there is no management of credentials\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Successful CPM operations\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceAction contains \\\"disable\\\"| summarize count() by FileName, DestinationUserName, OldFileID\",\"size\":0,\"noDataMessage\":\"No Accounts have been Disabled\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Users accessing accounts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges !contains \\\"PSMSessions\\\"| where DestinationUserPrivileges !contains \\\"PVWAConfig\\\"| where DestinationUserPrivileges !contains \\\"PasswordManagerShared\\\"| where DestinationUserPrivileges !contains \\\"VaultInternal\\\"| where DestinationUserPrivileges !contains \\\"PasswordManager\\\"| where DestinationUserPrivileges !contains \\\"PVWAPrivateUserPrefs\\\"| where DestinationUserPrivileges !contains \\\"ConjurSync\\\"| where DestinationUserPrivileges !contains \\\"SharedAuth_Internal\\\"| where DestinationUserPrivileges !contains \\\"PSM\\\"| where SourceUserName !contains \\\"PasswordManager\\\"| summarize count() by SourceUserName, TimeGenerated\",\"size\":0,\"title\":\"Account objects accessed by user\",\"noDataMessage\":\"It appears no accounts have been accessed\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Account objects accessed\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (302,359,360,361,412,411)\\n| summarize audit=makeset(AdditionalExtensions) by coalesce(column_ifexists(\\\"ExtID\\\", \\\"\\\"),tostring(ExternalID)), DestinationUserName, SourceUserName\",\"size\":0,\"title\":\"General audit information\",\"noDataMessage\":\"There just isn't anything to show here\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"audit\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"audit\",\"sortOrder\":2}]},\"name\":\"Audit information\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges contains \\\"ConjurSync\\\"| where SourceUserName contains \\\"Sync_components\\\"| summarize AggregatedValue = count() by bin(TimeGenerated, 1h)| sort by TimeGenerated desc| render timechart\",\"size\":0,\"title\":\"Conjur Vault syncs\",\"noDataMessage\":\"It doesn't look like you have Conjur\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Conjur Vault syncs\"}],\"fromTemplateId\":\"sentinel-CberArkEPV\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## CEF standard custom label functionality has limitations and to solve those, here are the field mappings done for CyberArk data connector. Refer to the table below for further context.\\n\\n|      Old Label     |       Sentinel Label      |    xsl KeyName   |\\n|:------------------:|:-------------------------:|:----------------:|\\n| Safe Name          | DestinationUserPrivileges | dpriv            |\\n| Device Type        | FileType                  | fileType         |\\n| Affected User Name | SourceUserPrivileges      | spriv            |\\n| Database           | DeviceExternalID          | deviceExternalId |\\n| Other info         | destinationProcessName    | dproc            |\\n| Request Id         | FileID                    | fileId           |\\n| Ticket Id          | OldFileID                 | oldFileId        |\\nThe workbooks outlined here are simply examples to get you started. Your enterprise's security view will dictate what fields need to be depicted in your workbooks and Sentinel's ease of use allows for dynamic views of your Vault activity.\"},\"name\":\"CyberArk-Workbook-Notes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where OldFileID contains \\\"Error\\\" or OldFileID contains \\\"Failure\\\"| summarize AggregatedValue = count() by bin(TimeGenerated, 1h)| sort by TimeGenerated desc| render timechart\",\"size\":1,\"title\":\"Errors within the last hour\",\"noDataMessage\":\"There have been no reported errors in the last hour\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Errors within the last hour\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| search OldFileID contains \\\"error\\\" or OldFileID contains \\\"Failure\\\"| summarize AggregatedValue = count() by DestinationUserName\\r\\n\",\"size\":0,\"title\":\"CPM errors, by account\",\"noDataMessage\":\"No Accounts have failed rotation\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"CPM errors, by account\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID == 7| where SourceUserName contains \\\"administrator\\\"| distinct SourceHostName, DeviceAddress, TimeGenerated | summarize count() by SourceHostName, DeviceAddress, TimeGenerated | render timechart\",\"size\":0,\"title\":\"Logins by the Administrator account\",\"noDataMessage\":\"There have been no logins by the Adminstrator account\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Administrator account\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID == 300| summarize count() by DestinationHostName\",\"size\":0,\"title\":\"Endpoints most connected to\",\"noDataMessage\":\"The PSM is not being utilized\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Endpoints most connected to\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges !contains \\\"PSMSessions\\\"| where DestinationUserPrivileges !contains \\\"PVWAConfig\\\"| where DestinationUserPrivileges !contains \\\"PasswordManagerShared\\\"| where DestinationUserPrivileges !contains \\\"VaultInternal\\\"| where DestinationUserPrivileges !contains \\\"PasswordManager\\\"| where DestinationUserPrivileges !contains \\\"PVWAPrivateUserPrefs\\\"| where DestinationUserPrivileges !contains \\\"ConjurSync\\\"| where DestinationUserPrivileges !contains \\\"SharedAuth_Internal\\\"| where DestinationUserPrivileges !contains \\\"PSM\\\"| where SourceUserName !contains \\\"PasswordManager\\\"| summarize count() by DestinationUserPrivileges| render barchart\",\"size\":0,\"title\":\"Accounts most accessed\",\"noDataMessage\":\"There have been no retrievals of accounts from the Vault\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Accounts most accessed\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (22,24,31,414,416,418)| summarize count() by DestinationUserName| render piechart\",\"size\":0,\"title\":\"Successful CPM operations\",\"noDataMessage\":\"It appears that there is no management of credentials\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Successful CPM operations\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceAction contains \\\"disable\\\"| summarize count() by FileName, DestinationUserName, OldFileID\",\"size\":0,\"noDataMessage\":\"No Accounts have been Disabled\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Users accessing accounts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges !contains \\\"PSMSessions\\\"| where DestinationUserPrivileges !contains \\\"PVWAConfig\\\"| where DestinationUserPrivileges !contains \\\"PasswordManagerShared\\\"| where DestinationUserPrivileges !contains \\\"VaultInternal\\\"| where DestinationUserPrivileges !contains \\\"PasswordManager\\\"| where DestinationUserPrivileges !contains \\\"PVWAPrivateUserPrefs\\\"| where DestinationUserPrivileges !contains \\\"ConjurSync\\\"| where DestinationUserPrivileges !contains \\\"SharedAuth_Internal\\\"| where DestinationUserPrivileges !contains \\\"PSM\\\"| where SourceUserName !contains \\\"PasswordManager\\\"| summarize count() by SourceUserName, TimeGenerated\",\"size\":0,\"title\":\"Account objects accessed by user\",\"noDataMessage\":\"It appears no accounts have been accessed\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Account objects accessed\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (302,359,360,361,412,411)\\n| summarize audit=makeset(AdditionalExtensions) by coalesce(column_ifexists(\\\"ExtID\\\", \\\"\\\"),tostring(ExternalID)), DestinationUserName, SourceUserName\",\"size\":0,\"title\":\"General audit information\",\"noDataMessage\":\"There just isn't anything to show here\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"audit\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"audit\",\"sortOrder\":2}]},\"name\":\"Audit information\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Cyber-Ark\\\" \\n| where DeviceProduct == \\\"Vault\\\" \\n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges contains \\\"ConjurSync\\\"| where SourceUserName contains \\\"Sync_components\\\"| summarize AggregatedValue = count() by bin(TimeGenerated, 1h)| sort by TimeGenerated desc| render timechart\",\"size\":0,\"title\":\"Conjur Vault syncs\",\"noDataMessage\":\"It doesn't look like you have Conjur\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Conjur Vault syncs\"}],\"fromTemplateId\":\"sentinel-CberArkEPV\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"