From d00619d547cb59ef8458b4ef02a89d9942ca88e2 Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Fri, 22 Sep 2023 12:46:43 +0530 Subject: [PATCH 1/3] Repackaging - Trend Micro Apex One (MMA to AMA Migration) --- .../ValidConnectorIds.json | 3 +- ...MApexOneAttackDiscoveryDetectionRisks.yaml | 5 +- ...MApexOneCommandLineSuspiciousRequests.yaml | 5 +- .../TMApexOneCommandsInRequest.yaml | 5 +- ...MApexOneDvcAccessPermissionWasChanged.yaml | 5 +- .../TMApexOneInboundRemoteAccess.yaml | 5 +- ...ltipleDenyOrTerminateActionOnSingleIp.yaml | 5 +- ...xOnePossibleExploitOrExecuteOperation.yaml | 5 +- .../TMApexOneRiskCnCEvents.yaml | 5 +- .../TMApexOneSpywareWithFailedResponse.yaml | 5 +- .../TMApexOneSuspiciousConnections.yaml | 5 +- .../Data Connectors/TrendMicro_ApexOne.json | 2 +- .../template_TrendMicro_ApexOneAMA.json | 118 ++++++++++++++++++ .../Data/Solution_Trend Micro Apex One.json | 5 +- ...OneBehaviorMonitoringTranslatedAction.yaml | 3 + ...BehaviorMonitoringTranslatedOperation.yaml | 3 + ...xOneBehaviorMonitoringTriggeredPolicy.yaml | 3 + ...ApexOneBehaviorMonitoringTypesOfEvent.yaml | 3 + .../Hunting Queries/TMApexOneChannelType.yaml | 3 + .../TMApexOneDataLossPreventionAction.yaml | 3 + .../TMApexOneRareAppProtocolByIP.yaml | 3 + .../TMApexOneSpywareDetection.yaml | 3 + .../TMApexOneSuspiciousFiles.yaml | 3 + .../Hunting Queries/TMApexOneTopSources.yaml | 3 + .../WorkbookMetadata/WorkbooksMetadata.json | 3 +- 25 files changed, 196 insertions(+), 15 deletions(-) create mode 100644 Solutions/Trend Micro Apex One/Data Connectors/template_TrendMicro_ApexOneAMA.json diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json index 86672f5347b..e1884b0dd07 100644 --- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json +++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json @@ -205,5 +205,6 @@ "vArmourACAma", "ContrastProtectAma", "ClarotyAma", - "illusiveAttackManagementSystemAma" + "illusiveAttackManagementSystemAma", + "TrendMicroApexOneAma" ] diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml index 915bd1b4995..c8f882aa86a 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -29,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml index 8e796ae4a87..b9167b7ba37 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -30,5 +33,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml index abcedf6f0be..ea63cca3155 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -27,5 +30,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: UrlCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml index 6495f7de254..7ae5bd1488b 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -42,5 +45,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml index 54fd4a5001e..c6e1dc3c8a5 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -31,5 +34,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml index ce846544659..fce5f9c224d 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -29,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml index 78803f0d511..4dd6755b05b 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -32,5 +35,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml index ed17b2d9d75..d019c9cb462 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -29,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml index d9a09de7778..2f093d7beec 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -30,5 +33,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml index 19916ee2c25..949e1aad44a 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -31,5 +34,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Data Connectors/TrendMicro_ApexOne.json b/Solutions/Trend Micro Apex One/Data Connectors/TrendMicro_ApexOne.json index 11fd4fe3f00..bb926294e58 100644 --- a/Solutions/Trend Micro Apex One/Data Connectors/TrendMicro_ApexOne.json +++ b/Solutions/Trend Micro Apex One/Data Connectors/TrendMicro_ApexOne.json @@ -1,6 +1,6 @@ { "id": "TrendMicroApexOne", - "title": "Trend Micro Apex One", + "title": "[Deprecated] Trend Micro Apex One via Legacy Agent", "publisher": "Trend Micro", "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information.", "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.", diff --git a/Solutions/Trend Micro Apex One/Data Connectors/template_TrendMicro_ApexOneAMA.json b/Solutions/Trend Micro Apex One/Data Connectors/template_TrendMicro_ApexOneAMA.json new file mode 100644 index 00000000000..375127fbba0 --- /dev/null +++ b/Solutions/Trend Micro Apex One/Data Connectors/template_TrendMicro_ApexOneAMA.json @@ -0,0 +1,118 @@ +{ + "id": "TrendMicroApexOneAma", + "title": "[Recommended] Trend Micro Apex One via AMA", + "publisher": "Trend Micro", + "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information.", + "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "TrendMicroApexOne", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description" : "All logs", + "query": "\nTMApexOneEvent\n| sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (TrendMicroApexOne)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.", + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine", + "instructions": [ + ] + }, + { + "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", + "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.", + "instructions": [ + ] + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + + + + { + "title": "2. Secure your machine ", + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)" + } + ] +} diff --git a/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json b/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json index 2dd0d03e0ed..6a2379676e6 100644 --- a/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json +++ b/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json @@ -2,9 +2,10 @@ "Name": "Trend Micro Apex One", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "The [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \r\n \r\n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (CEF over Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)", + "Description": "The [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \n\r\n1. **Trend Micro Apex One via AMA** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Trend Micro Apex One via Legacy Agent** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", "Data Connectors": [ - "Data Connectors/TrendMicro_ApexOne.json" + "Data Connectors/TrendMicro_ApexOne.json", + "Data Connectors/template_TrendMicro_ApexOneAMA.json" ], "Parsers": [ "Parsers/TMApexOneEvent.txt" diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml index 0a281615745..651177aea5f 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent tactics: - Execution relevantTechniques: diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml index a80218ffc4f..bf248a910ba 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent tactics: - Execution relevantTechniques: diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml index 16f0dac96f8..dd6825d0292 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent tactics: - Execution relevantTechniques: diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml index dda2e4c76eb..a6dc53e85a7 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent tactics: - Privilege Escalation - Persistence diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml index 065e4e2b227..8afccce98ea 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent tactics: - CommandandControl relevantTechniques: diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml index ab894e13254..c04718c33f0 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent tactics: - Collection relevantTechniques: diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml index 95d085848b3..ac8baab99b9 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent tactics: - InitialAccess relevantTechniques: diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml index 9f95ca89d52..e07985ea22c 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent tactics: - Execution relevantTechniques: diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml index 4185b05a0d9..5d4d8d9106b 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent tactics: - Execution relevantTechniques: diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml index 809150881cb..1b64e59f4f0 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: TrendMicroApexOne dataTypes: - TMApexOneEvent + - connectorId: TrendMicroApexOneAma + dataTypes: + - TMApexOneEvent tactics: - Execution - InitialAccess diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index 8aad7a5b0af..8b6b87cefe2 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -2825,7 +2825,8 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "TrendMicroApexOne" + "TrendMicroApexOne", + "TrendMicroApexOneAma" ], "previewImagesFileNames": [ "TrendMicroApexOneBlack.png", From d90b9da9623a213b80fbbf0830c4bfdfb14b7b3e Mon Sep 17 00:00:00 2001 From: Github Bot Date: Fri, 22 Sep 2023 07:28:19 +0000 Subject: [PATCH 2/3] [skip ci] Github Bot Added package to Pull Request! --- .../Data/system_generated_metadata.json | 34 + .../Trend Micro Apex One/Package/3.0.0.zip | Bin 0 -> 22518 bytes .../Package/createUiDefinition.json | 51 +- .../Package/mainTemplate.json | 1598 +++++++++-------- 4 files changed, 953 insertions(+), 730 deletions(-) create mode 100644 Solutions/Trend Micro Apex One/Data/system_generated_metadata.json create mode 100644 Solutions/Trend Micro Apex One/Package/3.0.0.zip diff --git a/Solutions/Trend Micro Apex One/Data/system_generated_metadata.json b/Solutions/Trend Micro Apex One/Data/system_generated_metadata.json new file mode 100644 index 00000000000..f2ddb6407f2 --- /dev/null +++ b/Solutions/Trend Micro Apex One/Data/system_generated_metadata.json @@ -0,0 +1,34 @@ +{ + "Name": "Trend Micro Apex One", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \n\r\n1. **Trend Micro Apex One via AMA** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Trend Micro Apex One via Legacy Agent** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Trend Micro Apex One", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false, + "Version": "3.0.0", + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-trendmicroapexone", + "providers": [ + "TrendMicro" + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ] + }, + "firstPublishDate": "2021-07-06", + "lastPublishDate": "2022-03-24", + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "Data Connectors": "[\n \"Data Connectors/TrendMicro_ApexOne.json\",\n \"Data Connectors/template_TrendMicro_ApexOneAMA.json\"\n]", + "Parsers": "[\n \"TMApexOneEvent.txt\"\n]", + "Workbooks": "[\n \"Workbooks/TrendMicroApexOne.json\"\n]", + "Analytic Rules": "[\n \"TMApexOneAttackDiscoveryDetectionRisks.yaml\",\n \"TMApexOneCommandLineSuspiciousRequests.yaml\",\n \"TMApexOneCommandsInRequest.yaml\",\n \"TMApexOneDvcAccessPermissionWasChanged.yaml\",\n \"TMApexOneInboundRemoteAccess.yaml\",\n \"TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml\",\n \"TMApexOnePossibleExploitOrExecuteOperation.yaml\",\n \"TMApexOneRiskCnCEvents.yaml\",\n \"TMApexOneSpywareWithFailedResponse.yaml\",\n \"TMApexOneSuspiciousConnections.yaml\"\n]", + "Hunting Queries": "[\n \"TMApexOneBehaviorMonitoringTranslatedAction.yaml\",\n \"TMApexOneBehaviorMonitoringTranslatedOperation.yaml\",\n \"TMApexOneBehaviorMonitoringTriggeredPolicy.yaml\",\n \"TMApexOneBehaviorMonitoringTypesOfEvent.yaml\",\n \"TMApexOneChannelType.yaml\",\n \"TMApexOneDataLossPreventionAction.yaml\",\n \"TMApexOneRareAppProtocolByIP.yaml\",\n \"TMApexOneSpywareDetection.yaml\",\n \"TMApexOneSuspiciousFiles.yaml\",\n \"TMApexOneTopSources.yaml\"\n]" +} diff --git a/Solutions/Trend Micro Apex One/Package/3.0.0.zip b/Solutions/Trend Micro Apex One/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..1676a94d6f4ec5d2cc2866c53cdaa3ecbeac305c GIT binary patch literal 22518 zcmY(KV{|A@)2?INwr$(Sj-Bk-wr$(CZ6`anZQD*xp7;B8e)O7IJw5BHuDPeHt9wR4 z8W;ox00002AdH($4Lql4%L4`gfL#s%0R6Yt(81Wi$ymi)#Ms2##@xx=)`rf)(bncl zTg!2y4b|tRwy!K(^FA!;YHFKl>e}pT(#B+;EV{dMp`I5nEJ$LJq#smZOzQk++Yumv zh;rNoX-;az`;=|qNt-VVTfldfu;@kYD43?C`=kinBD>TO@5_!9iSHS#ePtY(&k%`? z^8hbpQksRURZ0zw{>XHiave-ewY9OQ5|#NROO!t#ejeyLPrQt~!gmN-jnBzV`D4Dd z6!CC~=tvONb@{l0*+cq0iM(^q*^WC70%J90oxc#VqLb_T%H09{B!R# zCChz~C~+JT0*41JP`;RH0_k`1-aC|*HY+rphtae*?f}}3Pxf}-Oxzv8;?WI0T|%Uh z?G3(A>_LVOzCXi)sag~%lGK=OE6$0fSRyrn`GR(Tc_X#tGJACo3r9s
`arB2k?}68ou!{e@rk5^3fI?w`iSd&BE&9V6Kv}*^u%|Gh*t2ee zh8-tF1JXuBiYA%QJ%Gd&o(ALtTrw%ZXlXsGt_0nX`7vAqfe{*9?*hzUU;u1f+=x3*!4dKRU`#D@udi0crt z`&eEA0;dgx6^v@nyeONG=VyPxMZjz<+Jul!Vs|~tkv}IixJTX#?Oy$dAeF!mD2P*X zH7iX?Mh+y6an%B67n8geGdcVyNKT}LntO*kGwYyUCxUyRd9#hhkHW@KZ$g-RTtifp zo23LeY4OiQLO%+_L=P1^I3{jkR16g6)m6Ldc&Mw?8!L2KYn>BcPaAQkr#AsB(hTiR zW@D<^o2L7WH6m@yiH?FM)IVA`-Fxt7AxsZV2*QUrPeS!I?VCQFRoz^`MP55~zH}Oa zo&y>JJzSWvz3;t7!dYk^IJ8L=#r#pC+&)4^Hg0mvlBsA)@p1h#5wn5@7E~lvr?FZw z0rJ_GU&b}0(vO^s()g_i2!w-6mzq^k! zQIfh&yZa~9;5JL6)vr9l_JX&5pP^MXf85$tLNzkAJ!Bc81GnukNy@DLL?fl_0YCOT z`E`$MOEDhwz{*Zj152=;y93j$n#p7*DK3|7wlo}dxU+a9Q$(RHn(5-u9spl$6GQo@ zu&ikrlQ#8B6fE%`IF>;`ae?yfG4sSMd!?XZw(KiprA-mgzR7Yyf{LL{A;G&qL( zkjlQ9CUCmQR9V%a^!4L4Wt^u0kdI_XW>*lep?~?*#uBU2bS64}-tQ2u=Sp*6Kfd>9 zPFb){LRi2YGxQS0n0pU#V8o&;^X74I!GY$&c(9Pf9x0H z^8_+Lw~2qPs_-)#cuy?bo>+=O-)C{d{jtOO0p2NaRUsC7;mq!vwjR@GD!A)NBkBQT z;O1;6LQXR4tnOhM&CSJ1XtOjt)Sjf?V2~+(cs*>R67sU;zVa9fzesKb2lp*a z%9xg`_!&alva;`z1d3U*(hB=Ph$GvwgcUR77K>>ntT)u24bmC%x_MsPk5rfVxX)a>`WfL0Q0L;EZSVO)NBi5h`lnfJv z@{vHG-4aP`-$q;zn*f+rlH2Yc(&I8S%tfGa8@wt5=o}Cl0b^+bwBdwS1Q50;xZnGG zos#x09PO1#Vk^?l3CO-d`FVbQr3OflPPKam(P&_TgZ3&VnoX5wrywH!_fC#a|8vu) zYy8(HIvLwTrN?3GJhc7wg_i*BfD~!qDby+5{%v7`Gm4}q*@|@V{FC_zQTd@%t7TxY z>OLQx428Lekw7J?0D98n5`Zi-S_^^~NnS~Z@dC(&xI)_cZ8<4gBoQ`vEo1e|9&$!; zjdBl^5ZC>obT~Hg`>^_1^r}I2zH3o@BDWOyRA~KpX7j&b1b94}UM0`HSsXp6f+-p{ z@LEpIN~e~Eb(f)QGLP)}sj8=l*2v?Lt0eOaT9#PCx`98WTu@3mirVe6!z?NbpWf{Y z%MS?BTB<>sv{!A_FUYjk8*;hE=33z&9MW3zP0rGhNSa*h0dz#nj}tUL8mYAVp5 zuvuG!XW30{=7#?6p2gLN^u1@`I39�{i+*I(;0<=;zhEm_LC{ez&jiU5(3wTKfxEd&frK_xosjOvqZ%vJpsgz$EJkPPbseotjG~i%9 zd{suVRkqc(RC3f#Zxo)LX@GlhnJ~kxF+TB>pzvWuv=3k-OB7MqVa=12ZNa2D^T~V8 zv=s7o`RVRje`zEB5Nh*h==NR<)Yc}1kIEb|pmiKJm1SG6Q~Gpo0gv7Mk0lG9!4gZe z0D+~z#c+M5V^gl5(uMwTCQ&iUv5;Kb$>D(+t!#&MXe&~q_X+zk+4$?(${ebtfg2qTqrINJS7UNql50V1(}Zp z`bma~Dk0k2`XkLmR)bg`WQJ~}P>o&ex#U9R;5>Iwc(fYK7}dTt&RkD!q*&}++^HIT zj0sjoc6=yGAbYKZNjrxX(xPtC#&ki&%EPhfB)v|pV8!=UQkcUPxxZN3J^>16Qk}1? zu9EqEe!P+{zK|-(&yYCV*WbcHd$Z{H2t@g^3%U_8#aydsLU=w9Y|MWN`7BJ7Jqq0( z-}`^^bJjWAA1Er%eogiCRK$OY=1H+)(q8lDU`24Xhiag;$;z4*x|*`?_rlOLH+~%E zEsh1xrb|rNK218OzBNMXph&bjQ7e0|8ubF?B5h4S{_qvJWK=)RREd@>R6S3<-+y?Q z-k(r;oG8&HU;FNtUa;JKt{)@o> zIuAR-NA4q}^*r)L0W5a!bnJZ4Q~3YV6*eSBS05<=fLvH$0L0&P#oEB!M%mcf&gwU5 z`M*TP+fwU*qviVL8+H9sNof||f2ckFyoN6m%Gm%t-%QAPDyszlU%lvlw4tdLIMtTY zM=QQ$iq%>QEoYE205dbIz9sFJF0Ev3O6vDJpkMXR0X8znQmd|iwIssi=kMfoFR{D) z`qYpkSgx-0hx27OXHV{o+gGoW-J{u~Qq}e{)6S$5I_nxp&a?%uulwgt=Y+r2rQT=I z8R+qx{q!y6V%G}G)A=*^_6Y^7qa2*$r+0SeG@K8ftR@s0j%Lu&`-KaDb$7;;c?J60 zay(~m9s!jkmU4P~L`Zlg2b_W&VRpdJas?P2&q+oAC14Qq6N-=14jR&zI5_PrCk84Y z0t0=}1(p{=8i!ACCSVw5pXal$F^h2uS8c#SE{_?G?9`ap!(zbF+XlS%>^V!~>soLp z+Y`*|ru|{yw86&hzvrTVZj^!bh`-+ zguU$D2jJUXsId%|{CbnkQljY@Y?<#g$GlDAGS?Hp%fHXz6X2X|87cr0Yf{-qr7-% z|96^*o!B!9X|lTKLR;&=uo3Z$sG^QcSCNWPPv{y|O>VRBv^`KP@#1OFT`)u1A0gLJ zuAyr)9qbjAbZE*>4z|C({c53e91NPd_|dFR6jIVntZfki_o{DC)!HS2KW8=GRToNLd|z$@TL_0Jk~S6 z6jNmaa{PsMP<<@CgS6#{e@^zlR!MlsSY~pSu)d`&OU0O9Ax4?Y+RKz?gjPE{RO3n$ zq#O3uu_{SLVT#=4Nk*Y$@dV#m9n*sv|IjT=ZIwY}32}YQ?^oS>8eb-z7~^)hXrfAEJI*bGZ847%eh3!wy~Q&VUvjs4WWpSKkcg7wtCDc z4Ad;;K3~RyHCyy>Zd9tYq?KjI((Kl?6}w8W4H@y{SdzAnj||lWI|yZa1fm%Uk+--! zI-;Ha?2HoJqQ(krN8Pojm2jfBy4apyjd@;aqtWm?Q6UF*K#VFDSXuOwOK6_7DO|xe z$2bL-2IOsoLM$Bz?Ref5SW))xNpYS<5?GM}@J@f4%J8St+z!*H0rgOVJtfhQzB#+n z?e6IkwWR{=PKSOx4g~Hlhk85?0qWKOI-QyV|F4-W<*XLWsV3p9WP@Vm0?yO=OWi3g zXrSw*kcUJsSenq$**}#Ww?)%HsG{6 zFv40;r#hs0u8#iO-gbGeD*oGB3VE*50NtH$0yhAP6o8L`Q{eCZShMg&0ypLVS>uth))_(z^EmxS;D!>gI~DqI z``2HkP>d&k;E(>mb->W5z{iR=nJ|O3>3L)U5(KNyiH2*`b~^ z@fWaK63y&`MPh$D#L%BK)9#R$ceyj8AB%z)QTw|qp&nau z;_Cn%pFPYGrO`X`b?Bx=#)yj&qzrTwgE=NtEm>iOa8}U6KTO`0aj4Ku{$5lAdPt#~ zTyfy)0GV7UEfi(YJ9cvFW=)I)Pt6dmBh zm*kiG=~h+~^1!gwZ{{>> z-pV~;E7T}nz&Umw8x|2GqUI>}D>@R*iSSdVQjs&{xdFohV>yu(FF6t}1k?de726cg zj%n$|)z;J+#z>XqYHKoDgzn-Z(1`B&-GP&s> z=F_xqa&ilV`_~Wg2>siIXl(DSdLbT&eGDaEktHGTzz9@zZ3SY@Es-n|MHT`-EnJMM zwf<~Wnf);HRs&lgK01Uso+a8)XGJ3U+g<;|0xz>n`>+X7B`=vz@jv2ByBn=Toe~<) zDlYoUv;gKz;_(%|HF zRoKvW9Ae%SsvMcIRuj1b^sGU{s1P2uOuRw`7@94 z#>9RH5?*ErLx@np#lW{{&5`)%^G>k*TI1_DC$VuX4>b7Ki7%`Pc_D?3OE8b~3s+c- zj5UUZ=Zj>sIae3VJoxGuL*E0fTlUrwc==N=pZ#P7~hA+tFcL>=aud-{B#KN(thjH9+riz5K4Iignkh98p2bgeA{1|6^EO&{qj`*wto$ZD}du%#Lf$*n%etL74(YNqEKX)UM zfUs;2Xs&0m{Qs;Ack_ub@N<BxHEl za$c$luhXDeifI+O*<4??&K8|ltD*+YZA?9EOY>%&`TGp=rzyD{I_~EI%OH;zC^PK8 zgNhLQEE$%1ZOGRR!CRFvh8FH|(QB6iKqVU-cS;I?w>w0eFAFP(6i%gCu(bqmKAdR# zDzY|&T3N)(IEWKS7F0LkcdW?E>J{PZTc*wXi&!$Uzrj(F?LfsG%w>B4yf1CoFHGdP z3st*KKQ3B-mrTkTO*H~St@6MfH)&z*J#93;F?BY&fmS-MgasRH_nW~UOHyLdBlnk( zC5O;@O`X=%W^LUOAXm&~G~J8Sq4SL9VrlTLvCz=X)Iys*Ir8db$WFOo%=<_|xUfWY zIUqCk(}`3xD>Bl*Dd5!Nt8CktpBAe)OrdlHMJ2iw3i>h!y`~7PAd{WQnhc5<+4CV* z4&8IEQ40-ra`V2K`3Hu*{rU$1X?29McflxSgHYgvsmO1EeDDVtq}VjKrtXNOOrZ&| z&vTG#Mjqq2;W<#%9W8Xy!d^S&UHq*rX zKgsIJMw)UkLM3IMjo{1k>vVZP9mEPO>LV+^AO^uvozpfU0@=HHG>K2xRGhUy?|#h( zCZT8$HZ8Y~S^Y(z0*IbxxbHri>;+=tvCqY%PnUWG<3D=K&X?#QrT%EJJV5QPoPVN{e`>*!#6ulLrOv<#}Yk0z;Hu_xQ4;L6{ZpjwHAIH&?~(e@6Etln(x z`J|*Xak|#*U0%+4xKJ~Mp+MHoTFT(vlI5{S{jef*Kg;~xtld6qriuh)ng`k%9NmmJ zk-um)){Z)5K9tQkZnMXZ&vnQfgDL&)GH=G@nTUH{mokZe9oBX)2h`ON!*88jzwd%N z1NiaT1iH_}OTKplyKp%xmVsVcUUc+Nf_nPx4i+}>hf-5@@U{<;Tyt-%RD169o~A0t{|3JLM*vG3p77QrInD>>BmRf(BLIg;c$7ps9&iUv&I2KVz#>1 zTbiOcugAm;=Qe9h+9$pS(ut6%wP#T{JjztJ{NEhz$PkG~1bd zKB4D(+-#WpRP8pCwns01K8cxOTyQtb$OkdtO{P1|V0Eh;XU||-{`F_Ba%oRHNBKN^ z;3~^yfvE1hOJ$y3qctgyPbrh+0{~gXQKr2$>dj0GX9m$(xLKo6T(SYlEYyfccujTL zvxY3$nmd_@X1r3Vqc%b12Ay5VC=+etWh@fvdB56a#*qY`Yvw^T+B8)1m4RZdaLMM$ zpo}yb=mjY*aE9AWPQIkW=5^(H$i8gAHa zLng~>{~h(#A>c2;DgyQZojanRV*Hy%r$M_h8ss(173_-io>1q(?-=jodZWc_lheQ`B+7z5bD8#p5^saTy$A3ErO0krm#X52-~Ohrmg< zDhXR*=~IJi*6?dY(ys2%8B`TSHs_oNSZYXOyy4PUnB-t~Xeb9%7Ug@Jo=XC>MS_l8 zWp!ZH76_nyAjq4i&Ir0^B`Sz+PK9<7v*1%gK;B-1WI9rru{{41N@Wadb{nJ`e*?HN zVFbbM$ZCogH7o!27NNjgH&vg>5mf1f1NpS4<}YCaFREKh+0AhZv_zl; zBhKs@37*i@w9bjiwS@MLOPsIj*-LM7a5v|X7jQc_y>+}J?zWQ*s&wIxah~}lo;hmx z$8liZ5#a9C3oc>rq?ZP|Bc1ANmF!g=lKPwrt*j5+S%;pXorzG6-gAqdfp)KyMfSEn za<@Wn{~rab-oGOsGM(jI>pL6$e7!@#+hgszW5L^_W3}fIU9l=%F``*J7F|*J|2o|; zYyYz1Pa^fC{<$$oU#T0?;t<{}a;_>{iRkvHrq>sIsBr(O!LuLM?HQKY!Eav{KJTV( zESKNXQgc~s@~PcSAoY;jZe^;~+Ux7+O}%=!uR+Br8C`cK)on_Cxh#ClQE|K+dx}zU zI#qN&R(y_7xeuYWd)A13xj?@2m~y_OJlJl`GL$TVzS-;6bTFyuQhw-CR=dvDY%ryw zUo<@qrphe}lEw)hlQjOD;F)?X!vcRS`|i{wF^peLB}Yw4290_%o1kh|*exLK;d_i+ zbVMY^+seViUxaOUq|3BJ%8;)LN>&Agyv@##|C|JjY@wnr6vvO|wpc~LU;rj*e<5l^ zaDq@1?D>s(u7<+kz&d=%*!bLqAJ33%VO z_v8LZE(`hOYQVh1b+?NuV&65Y;1%RH^=3eMw?7%h-3O5{SFD$QuT~YbDvG4iFF9de z6_ENMmrDQ0&{1WA<)slqJ>8HLwyQcFO%#Q)&oaY4GP~&S2-uyH@G zRIn`^Z(#Q0;H-oocq0Oa4kMr*7Ci`=&%FWd5Zu(&57_&tueTc?K@WrJHSS}G*@gMd zzg{0m#T4%VsO}AZPLrDhy}8KEc6-dqIE$lCM_sA9IItqq?n_07(u+`Dh5+qKXzYwA zeFN!6?@K8#E#vXPC$RV_lbwCAm;aI60;X&6JMh}4{XaX%# zuL>_^zIen#hhNTXAW>|9ViF@AD@FA#g1POvT(>c1t7Iw#A9UI?5ACq7ql$KY>+c+W z?w*WWQy=BBv?CeQrFr$G&V>&oN%)KtL;Mv**(y160}CZ~LeM*g_>x;-+)hHpJ!JM9 z=@04Fd+_X%OYsH`K>HAur>nzgGk7e)^#pO|SAfT2{aNIvP*nGV|2R+rv3Dg2xTAu5 zYN+b}HUekDoPRPz@5Qp%7@ZmXn3%&?-4Ax(hb0bMAFf}22p7^nyHoDmWS-f+sBc~^ z?^?eQ5aM(4Bt=wJMW`0E8zmW2J4W^-~WAHMK#=vw#(=4(Dy| zVkE6U#0XNl90MI4NFQ-f@k+pqcXd@@B#~&K1~x8>mqn5GaFLFdCOJm$x}6mH#eZFn4XO^T~R$7B6!=+ZE-4A6YWiRZVCgb zj*Xt;`xB!%-#~EG@fGtX$!FIs9gue>^K#`2e|jQ2T~QNRG>WLm%zuw}uA1VgiA@ob znhxHB^(M%7q%OZs#!LN)QGHA~$x{cWtuZ0E8&`6~gg!Y4lP!Fd^ zYrl};mNzMiQt8MR{rLvDhqkst__{X&N@l_dr@xw-e1JzRWZ~{W3hOUM#$iW=jqsWN z`uBp38qf2P4>{)1oL357HrPN(+$z223X*Q=5imPO(s$C=_8rtUdndHn+Mu>$RHA(r z3T+O);k2>aV!fCZXN*{s;TQr^t9Wl~+54$dlT+Xq~|GK;O5Nue-KO2x%D$GeivND^y4rgf?Y*G-ZS z(qpjf28+MER3x(vpjNnX<#K*_f;|OdKG>9jPX@<+wF>na!djO>?(|sZ_3qx7_^_Y1 zFz&uk-U{cSYkrlZI^#aFv=9FWei30v*&7zbIi}&~8C>cD9GcteHr;r`z%m~BC9-b# z;?&l}@vLy7I<406;B0kVZiJHMAB0ev6-z>%m6Slb03@XWL}HP2U$JZW7Ep;9tnNcN zIS_%5`eC(v7vpS*uO~R{`G5OCr;@nv2SGmqqc}gPgty7~r@FVW@JiQ&4UjuRE}@*6O`dJU0?-YHEc81%-l zK}iciTu0m%U`|gXAjXHZ6~c5-B$`qNMZxZjal7674wcADMS^s&3b8& zFxWW@?6KJ(RxVOk`mtRredB^~^!u(WrHf8U%jCPuKG8f#K63ZMY9GV2prM`JI*nm?{}6?90UKV)R?B^2 z9X}3eATHad{VBg$e{p%>TU#p(NEeC}{@{o+{grO4ex23SmKfwacR^Ha>fu+_mbk(a zT>H@c?c(O)?BmAu$@1#p_U&TJ_w|nI`L`qI`t|xz3LjIu-FXD3T~CR)qmIxdk~`bW z5D~#AY9aZ7OmD>(zIOZj>+*2nZg|_y&IzmX9X7M=%iqQnmC9wFdm^N#&Uc?(2KC$U zdXwWCxBOd6ud-WkY&On%enk!Cwq-)LO?t`#p-#<%zmUDsf%pFMs`^;Nn#c3JW5gwS8lXk6Hz9Devq;5s{L}ue z^~sycs??j%xOi==(HTW%YRZT1;=D71z?5ZJa-;p&bM9*ZkQbM)H2H9spG}Sxh@;@51ik-6KKYOg%kUkC9nCww}(t}woCJf z4aA^;W@}7mwlC&tb-=m{#7?66mHz|rQH-q}2lxA|TIzv6m^C=qIqPwsi-S{H4k+QF`K5DcfTBZZpkf!))FxgMuHoQii>Es!>G<)~xXI|MJw zOnZ+AHpTE506EwA#W5y#MrYP;~z<<*{!dTU1nZ$nV@ znv?jYwubH_zjwtSrIjVeBjahm2*XLOH>WuEPz)sWu;Ww$fq^Tt^4RV7)0hE6wz%+uq0+&5ka0{dRgKc)o#@XMpW%Tfq)yaQPCVw(F%=qtBc(r`k4}4U_ zR10=;3&W?BQT4`Rs+%1cQ^od^^`^g>32f0T>iaaGbsX1&84)|a8 zo)j{fw2s+2fJHVeh$ilAWp%W^BNd;#unltKR84D%L5KGAa(8g~yk<}D=xlsx7Tn`J zPMhqZhgH0}XiB2N7^1}&S$*W1`QG2p;VDE-YwTlv17+GIf=r=2ywGqU_q zyXwBDnK!q;^6}c=7Fq;*1@Q`pB6-fr#f8QXsFZdj_RWhGGiEye_XRMZ7(VWJkTV~? z)=~M`2Uu(F=2gvGM%o!x?|7z|#2xRh3@70gc3Lr<=Z!h`VUQkD@-y^uH@*DwfLL*w(x+)R_JPh3 zcUI0ofX_UAE-7~X!^(t_+y#}sepH&*i|zr*vbcK@zb{n#G(FA597x7QY)}xXyfr2q z+Y=pz_rT4?EMuDvK->r68!zIPLBeOk?;$LZtm<;d3i7}E3@YxqoRUsf|IES!x|_MWWFu3+z4qtqL#2Lj$iLF@SFa=S5*yX zY5|l)#KTNQSJE(=G=_Joi+PXY2mHjFUL9^mb5$z*aw0!B5c zK6k%A3J?N##JXD(ZD5%TUICU=7?+!R@5}xT?Y&nnGaL1z>2+d7E>dncna0WaXb6Vg zhQ#pUKdx%y9GKxAB=>h{YT?$9E4CTz z><+*@#cHL}zo1;NQy{+rRY%kCToIFwCz#N=-sr3&v6 zFtmPp|HAH!@wSg>rXC9?;G%sSmj?fkkgT?4PMetv*ekcCf&~rxt1$37seYzo7oyTQDGF<1 z#He6(hg)nV2-dMa_j593zKArXJ2%0eb@EXrrTe~+qEJtA!jIh?{&%5>+VeUk=<@KU zzYiqnrc+WKr~b#Nqp9s?Evb{UqjU0tV_aou&KSP?vUR%6`4N>!<)p)SlLxQbnjPOV zFOORC?DFW+GhprIggR(-4pwIGx2BM)QJOXmZhKISs*Uk%#nvFSp0n}iCw-c-qNU+W zHuIzpY4Se5kqEnvN~5Urq~z_yl~+z?36NXqLmB5aBAg_i{pJ9Dq#XkR&PzzJ7dKoX z_wZfGeZWdQjrlAm(EyQZaJ;-^TssBG2A?>?vN}f#meSEptd;A~eqIPwp}MuFL0gS& zYJuO-CuvT!NL3d{i2Ag3hT_3+J-A~*T>js|dTd>>q4nZd3s8;IS(WW7Y|5#i@CCa^ zaY2AliNC|_R}I&by+)}|l;K6G-MZ{lt1@WnbeLn;z2AQ$es_2-w1>Wf3fVfN5Ik^0 zF?t7PUOqSO50R1=vkA!_fA{;zvIx!x~D{7B9hVf7Kkh0jcB#&}@Kw{1*mR*peU2Y%D z`)nL!>N=6a`@-An&P0l9TzmIg7+|yuL{truf)&baN>R~vy|O3v-U97TmL=+fWR0tQ z3F$u*LnP4j5O655-SKuRGA%&|MnVzw2ypb0w4+0sN|W{~a3oOnsB=iE-UsXzcw}zg z&QyAFtR>p4bMf#ZrHjZxa8$f}UIXF--p z4wsw~f4+Vq)Cji^o&q7!-8N&Mi+yABJbSH|VUM0yROoOTa3TcVn^qB(mSKsdRd18K zIqypaRRJ8tC(!5MCWI~|741(b7^ON%@jcM1r&e;pb`6@*$q)GP;bI(iZ?jg`zJuX{ zySozjEK`7CnO>Qt&_054bsvbwmK3S{v&jAGr|pFM#!H-*x>*~{A?7y)3npgUh`#-v zo`HI*0N4!VOvL(FGC}K+UP~bA1Z@BOz1P)vULEjiqNN^(_kouiT(zo2-skGob&Pul z2P>prjD+(hco|ISBHh~u!KigT6~2@>bQ{ac7Qsel|h42CUCj` zH4s?2mv}r3wIV99H<`_MSL1;3k*j9(bf%w_whWKgU37HvifFMuJC7}H z1M@>cq<-Sd{b5y$V~s;p!C0!+mW}9;P=B!$rFw)~&$#OejfVfAc}lpZG%nN3Hv%9K zxCYZbRGo8F@BQo*!@CZfZN8Y93=XvKeRk<%!QAQ6Qj#E38~D3bNVd&5A$3x>K003Z z(bE8{i*3A7d@igaqQ?}2XC{kIaB5(BTil9MXmoUDUHV|Ir|wtLqSRtTO?5d)igtH* zSi%RpDq7fZ=cehHwm7wE7r;bm?VIs>1f>-sW}5D-DZLjZfi|--tz<_9y<|J7Ndc~O zT`d*0S4I9`eaVIhe-$HrYPr~mD!&D#dPs9!`Wcc;Bi#;V){E zEw&VMEqv4RkI5#Z&%s1a>IaKvni_sr6V;vJmGZRvKP|@7Hvjf)Ut7$!SO)oTm!?;{ ztBGK#=j(`I)s#Y2;zDeD3(WoWU5tYay0=B5r&NLYaSh(H(U8nWe-m>6kBJ0tRHPH?QUPd^D zv555x+ma(xRTO7iXtkzFRC7Qg*4iI-WxsVD!I7E#>NnCv5u$3F zpypfER_F~Jc4u%`e2cdMuu#2x!X+mGk6Mi?N*;X*5FvD6G*}vKx}dd!dS~_!!MQx$ zJlG1QIDIP=KqI-HT}lAfw`bH$SPk!vBL9eg9A`6l*MBtM3ZfW0>c1ed%V@>$*#dd* zZ6lqc# zCXSfS6(N32%oFjN3?lhRew__3gEWeC3UaKEwzmoH+5tZxF>cZ>96^kl{KC^wX8-{7 zFVk-&?{1-3X`q%2(LfhOMmdq2j+tHvtw~x%<39_s!&{h4`nzNiz z`Wma#s6fcl!JTk$L(S7vHw?!L_PG;Z09i}AbqbX#rjK&U=bszAs!V|zo(<4)Dl&ITvi4@1-@=nfvss^H8hyXW1CW@NsxnNHXoQ-m%{Z3X zPtvM7MUqMic|Ag38mX6{Cl{H@VkaN2XQTFcfBt%8Xd09fL)KHs;77RdnWb^`%&ecx z?2Hn-B0fsR4DLz|!g>o)ksi!mptUp+KQ@A7ePQPh&v`&^`#OqV%Fs9EX5`LNb#t+j zhuC|(|NGkpN_7QX zCBejP@Oq97{H7L@Y)u@+0+vc%6b!E_=y=)b5VCkh<*$~pk&;g*f=d88iX=Z)&|N6QoK1nA>ISaV{LUXG&0XWDt3%Tm; zhj4-16?o9-V04g|b&vW{*D~=|*W-`;wJa2j(-wo;hDU`euYk1U{7=TBjVYXbstBLJ zHJ)dLI)=s+Tkql@|5=yQq=d8CPY_xEpw3J+5R#kA%4%DUr-9as%jp(pw3}D_PwM5sd;+wFhk=!h?zV!iP+(v@=;T61&xcGdgNVP985?%i}{24LP z%?IKNp?n2ov#;=!ZsZsinx#5+*{~Sm0$lccV*8d@m&N78#V@h2-3YLSzEw`=JQ80Q z^FAE~2ITrk6;-@$ACy|xPQ_UrlwRGtjd~)atc*i2xhpIp0@;f%OW$_ux46qGv^~@G z{`_Zumj18(&g<(WA5K>alu_U0rmd z_ZG4&!RjRlLU8@Q@1Aq-`R=(hf6P1Q%$YN1-kCG+JkQKS1IW_)(&I9#t+ZL|JcQVY zvG$8d_J}Cxes&vEKa?ha^%*Aj;d5f$Au~AHPaCVtA$*5B>%bnnM!c>LhMW9FW(c&>hO1qP&jP2eRoZKW6GtBpw0rhd8`Me| zDqWSqJ;fSy4r~rXeCSG6Nqt(Q=5YoQg{4wI52`LFb9=~lKa=8S7cp5FK9ATO+$JyI zw$&?uiA~Dz#|9dkrBy5`7%f-EwQg1{rSQpus;)NYbG-j*p3LV8l}f~Z$*cWi{9$_C zGeb;8wc+kD?%_jw?;OE$#S0SGxOF?8Vc9o2U-9O{M{Nv6k~A3pX0b+Xw9Xw!sXfnW z_8I(3lZlb<3?Xe+0jZfCMt?68v1a7su(Gw`co>ggGg2XvFl21FLQ7J;@(5#0;rJk& zp-ItndANE~||amDu!sa|P+BZ+@IJhaJ0t(6q9GeebA#INxtjLlvNcFxHs z`B})uf!@NNTTG2_E-90ccOGqNv-6_{qyZjLB+^r}SgH~l7_atcn_9Mr-mx+6FZbV$ zs;j147XHP>m`su}>7m^!i&;ClY$ohzQzI}aB687lUrJ??zQb{4=igCpTinR$>eKII z9BN|4Fn!9LnO7gR$uJ-8GqDu_7lRLbPG_s~GDk+rSuv`Jn9RygEn`nG^-sw?`+qcD zdwA}gWNcuje{u+*AU`o#)Djn8P>g?)h_mc!TE$#>y+4Wc4WKX3V$!_cG6JeEBB4FycZwIn!@}#TNh- zNiC6#@cGzGFlL8El&F12xf1gF6)cUchMC-^45GfbBx0E!`dXtU4XH)H3rj9#W3!UF z>+QhNq%EeV-J~ONn+U;vau!V>BZS!kSYm4lh$v#vC(WWOq3n$^4Y@FeNMC{#% zj54F^*7e$Ug5pF%A867)PRkzgldbHOkz2yN@~0A*1OssCB0B7a#N86aOYys_m`7|= zW;&iv(OTzBJ-}(yB~L9&5|NHUhfwa36 z?|h;uI!6qwuc{A-hC`8L`!>)#%4liXbWPi1zTt!oW9|23FBYFJs4v>++YP6h+QR;E z-^4%eL)^QsaR1(Yh)V9Zv4Z_9r-J=g`}>Cj=wdzyv=e-PRQkM*?sU@oyBv1nBe_3O z>ZHgiZFW+lm+ZsnyWlsv0c=4Mu6_#~ed|r%Bgk0rp`KIq`I!XpD}@7U95q4 zbh;{_iih{Jkj2^1&i4}>Hx_lzE<&!yI;5(Zamk`D^Sp^=ETEhM3&-268*itHo~h|< zAMYFFq`fCk;VLWF@YtMeym+#wlQx80c5Q?w26Lc@DZU|CuQ(3d;znj6@1uX>Z!h_# ziQ$*uEsCOWF9!*Kg;S1^fg1mT?mfFVJ3y4}eISy4k(R;Ff!@s}Fe&d%K zcws-LQgaA{f)owi1Q?Z|(5b|%qR3IFePYI`8UcRLK|R|-=KVAKzLY}t?DuCOTd0i! zLxTvyY+5_4;gE$%I@L~w!Ch8(WEM5;y8+7;DBq>GUED;M`dkO1#h;o~*0B-nT-EX_SU@a{cOmmlL5|*sm7Q zyiIn;;Wuw0BoHYd@W%otK0pv0XB!hf(~rCRC9efL}6VfReSJ1p8u(w^T)zT%U8+SZz0 zjJouR_;}X)Sxw62FuR(5eDLkg!zO(&)7T5X0xo|cD|hfsLw=8zn??JoNdD8Dw%NA$ zU6f7kmf*qD{5I>0<>4(sdO+B#40gl&opp=i0F~~dBG@a(O)ESz#w2|lYA;dB-ximT zk~mD4pi%tyk@fjL4-ny1p_D!cM3^TKi*^eCx<=I+?dWm|qN2fDbve!Ci1}}JbV$Ns zu~m>brpI5Ad1MECP8D*0d;TU%Jdwjd=xXR2){4Q;Vgd0sTXV#**xUBOjo&!Onn)+B zkyDhf*Qv^|wR)jx2_c$$3sQ=dhj{yvz9BMKDITrAjX;F1LT1bQ*x#+jE8r?!D~IqR4vNg!7=xYl@W4dMbt# z8~ymRMC5Zy3<|tT89Z@BAgYhc9v_&*ygdWkmT7b4CiJpW{3ImmrX^In`-hO=6;_C5 zcm69C|MjB=qS+|~j|6a!IFkTdpf$V<-_xV8uF_LgkT8G(0#lvSSR-*>#{)Ho0Nh1t z-2{Jq_uN9}%+`zI*Vr?PL#)^;RNqiM=e1DVBDy4+b|PXUXhcs_09I6laR+at($@)E zU5LHKAkT_mjZ`8H(T06&iUkGL1z3K0dqma_X6SB;O!#J!>#I*oS_Z316BG?f6Owsr z#+51hfVx%q*BGyjsSV&FcT{T4OFzRT9%B>s591y>;|fN;}Tt^9*WU0!OhLiJgp~zMSKk(r9PQ4L`t%pj!7SZ z5w^MuJLG6@X-}XZwt9{H60@`fi_Hr~g406QFMFTSLt+Sn&$EWI62Rj2jshD(P7=*3 zW4g8mmACZ~z@9@zF4r?Pb6_6J`c1&<`0D*+ouvXLpA%0e^c{@4hBya&0ez;IgpLVDcLDF zmsHW!(k-8jlN?izQ^hrPMdfi& zq}}xvt=&@x(I!8hXkwU@!-8)#oYH~ol~8K2b>Q9F%vNm2;mE#mc0WUF z(pr0OM*!=L2rT6C-qIuT0_0Gl_^P%TQ*DY4x-4933 zW-M-3U<5+CW|?0p$M(h*)6>Mv5MVbweM=}~gKNe(4tSNAl022EHsz+^!>XWY7c5lY%a z9}Eer2RNT@DqJc%)@D1$U#w(l7CVr!R@yM;GKF54t(Mh3rYvVX_SY7VCH(D6V9zWFv)9{ke@`vaamtY-_yMGa@?IV5ty6q(O#QKT{v+ z2#ZM55ZB3v2ELT|Z{l6AsS0>r%pD*qF&0t8nY+C{d0V^WA8oT&Z~qvW-`qq#hxa?w zudcA+#BSih*SY^{#KKiioUiR=+ajIgSyKnB9A4H%Ke-GIrtkc%YPvybDr`7;sxWD1AvHh3&n`+{>#FZAb7yX&d*$ zoAz4)FK@S9exN=VU+{JUE9c;yoKYR^sAMyJIBA zmG`Qz50Yj$1X`5t0nB=v*A7vr%J+kOD3*zTJq1Gz5WC&|aZU1{!-xHNa=|o)FVzET z{)SbOT|2hSIk4G}BUope&Lk?AOoD74skjjtYFYxxO$N0zVQ${dhw~m~hY0pl}panePdDQ4p8BqYJfP@L4JD^}EVLdS#vG_^)3q*EpKr}?+L#pJ? z>DY8dR6FW2P%PTb!8iyD<)i~qFbnD&J9F(x@xK^Fx=!_&KSW6P$F?BnM=|8dG zZdUWziC2x9idSvB=W6<2$S>5O9Xt~PyUF~v(SBRzv~p9&DfqWdE3QXSzSQGRnZN#R zi~V=+Tj$b)a*h3@ajLyvgTDM4&c53BQtJl`u6h2h3Np^m)@!Kc8mb5kY^X)Y1qS*R zt@vAk%-B}ktnzu>hjIf|I;!;iSKDQNL(UHoIkcRo?=#MbW<^ZVp*A(j_Gc{eA>L>lP$C2fG*S!Mpkj@hc6-;gd~m0`Ke(;m|AG@DJ{n*O!2BhT9FcGmFIwyIa{dKWn#8qi9Ftc#&Dg zLME=Uo-DG0)==j=z;=>Hj1hJ`HI)3o0ns3C+WR_#>Zj8WyS&Zbz>^Y{w{u>pfn)L@ zndKUaM}6K}dp%3IOUOXR_HJPTY3rK^x3={qDjCHVwts)l9V;i{5LYYK>Ni!eIq#C% zTP3K%M$jw_0`5QN#-mQol`M1&P{%Xm_S*|Q^m6`G)-~~W4b^7N6l_(0tBb>WyDg-X zCUHYpG+hmadR8U5nN8$T8CB1x%*iX14i2NLo8=)7B|QdK$?50uRvbb>ql4HF`-PeK zyFz?c$ss1@tAz&~!@KTr4j^}c_XN>iX(GzEYm+~X<_sD?$DuEJ9c~o6-z{4$@C~ey zzgzaFPNrL3ye zYbJ;D%Jn3CwC|!1uVxS^B)z{OC?M;IC;3;F;)!eFI(R89iBefDE>M5?7wGm0!?4Gi zWnsW^ySNt~$(YPBtR92a-s|Vipli%L7H^Lb;Uo;`ngpK7=@Ow7x^f247Zya9)Fgi6 zP==b?7?15)Oc28k;qoABys%!BmgcuiqF)@leGd+mDXE=O*((BTAPvi9n?fH{YW#aU zUHfVc^FN+SWzk%U{g%{@`J`SH15T4brWhe!6~@@8tIi`Rm9CEd_A4sd)LY7Pnib^< z5UcV<_TO{*v{fS~v@2DFJK-lBO%+8HHMqfzC048c_zUcLK}`}Wk0bvOf*8w~03w#5 zy}?dZHW#JO5*F(dzrpv8PWhh)A-2#7pr*;&-iMsrv96C_`wV_s+w?iR06G3BK?xW# z`KN$btmR@1$-EokVk6ydsS#C?;bU61!k2M|;iu=g$f;T2P7GDve7YQj_BNMHz z)gRx0;yLc8iNqCkf2BL79aFOg@a7DHn9LlWz8YJHI^lI%{mW=JL)S4BV?2fi7XNKT zH~sagQfcuu!7#}4_1tirYqm5>%SjSX)F&zuxCVShm(8^`JPUq&N^|Zo!a3{s+g8Jg zLsAW+nN*mec$GA1?!j}nid)`U^KneXbl*Dfx6ZPqtnbF)V3?o$Pj)*u?k(Osr3#8S zo5bASivv\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \r\n \r\n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (CEF over Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \n\r\n1. **Trend Micro Apex One via AMA** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Trend Micro Apex One via Legacy Agent** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,14 +60,14 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The Trend Micro Apex One connector allows you to easily connect your Trend Micro Apex One events logs with Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Trend Micro Apex One. You can get Trend Micro Apex One CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { "name": "dataconnectors-parser-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the TMApexOneEvent Kusto Function alias." + "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." } }, { @@ -79,6 +79,13 @@ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" } } + }, + { + "name": "dataconnectors2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Trend Micro Apex One. You can get Trend Micro Apex One CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } } ] }, @@ -95,7 +102,7 @@ "name": "workbooks-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The workbook installed with the Trend Micro Apex One help’s you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." } }, { @@ -107,6 +114,20 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" } } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Trend Micro Apex One", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Sets the time name for analysis." + } + } + ] } ] }, @@ -287,7 +308,7 @@ "name": "huntingqueries-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view." + "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " } }, { @@ -309,7 +330,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows behavior monitoring actions taken for files. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser." + "text": "Shows behavior monitoring actions taken for files. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" } } ] @@ -323,7 +344,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows behavior monitoring operations by users. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser." + "text": "Shows behavior monitoring operations by users. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" } } ] @@ -337,7 +358,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows behavior monitoring triggered policy by command line. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser." + "text": "Shows behavior monitoring triggered policy by command line. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" } } ] @@ -351,7 +372,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows behavior monitoring event types. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser." + "text": "Shows behavior monitoring event types. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" } } ] @@ -365,7 +386,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows channel type. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser." + "text": "Shows channel type. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" } } ] @@ -379,7 +400,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows data loss prevention action by IP address. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser." + "text": "Shows data loss prevention action by IP address. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" } } ] @@ -393,7 +414,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches rare application protocols by Ip address. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser." + "text": "Query searches rare application protocols by Ip address. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" } } ] @@ -407,7 +428,7 @@ "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches spyware detection events. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser." + "text": "Query searches spyware detection events. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" } } ] @@ -421,7 +442,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches suspicious files events. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser." + "text": "Query searches suspicious files events. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" } } ] @@ -435,7 +456,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows list of top sources with alerts. It depends on the TrendMicroApexOne data connector and TMApexOneEvent data type and TrendMicroApexOne parser." + "text": "Query shows list of top sources with alerts. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" } } ] diff --git a/Solutions/Trend Micro Apex One/Package/mainTemplate.json b/Solutions/Trend Micro Apex One/Package/mainTemplate.json index f4584a96e5e..a0ef874960d 100644 --- a/Solutions/Trend Micro Apex One/Package/mainTemplate.json +++ b/Solutions/Trend Micro Apex One/Package/mainTemplate.json @@ -42,158 +42,166 @@ "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_solutionName": "Trend Micro Apex One", + "_solutionVersion": "3.0.0", "uiConfigId1": "TrendMicroApexOne", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "TrendMicroApexOne", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", - "parserVersion1": "1.0.0", - "parserContentId1": "TMApexOneEvent-Parser", - "_parserContentId1": "[variables('parserContentId1')]", - "parserName1": "Trend Micro Apex One Data Parser", - "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", - "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "uiConfigId2": "TrendMicroApexOneAma", + "_uiConfigId2": "[variables('uiConfigId2')]", + "dataConnectorContentId2": "TrendMicroApexOneAma", + "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", + "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "_dataConnectorId2": "[variables('dataConnectorId2')]", + "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", + "dataConnectorVersion2": "1.0.0", + "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "TrendMicroApexOneWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", - "analyticRuleVersion1": "1.0.0", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "analyticRuleVersion1": "1.0.1", "analyticRulecontentId1": "7a3193b8-67b7-11ec-90d6-0242ac120003", "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]", - "analyticRuleVersion2": "1.0.0", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", + "analyticRuleVersion2": "1.0.1", "analyticRulecontentId2": "4d7199b2-67b8-11ec-90d6-0242ac120003", "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]", - "analyticRuleVersion3": "1.0.0", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", + "analyticRuleVersion3": "1.0.1", "analyticRulecontentId3": "4a9a5900-67b7-11ec-90d6-0242ac120003", "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]", - "analyticRuleVersion4": "1.0.1", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", + "analyticRuleVersion4": "1.0.2", "analyticRulecontentId4": "b463b952-67b8-11ec-90d6-0242ac120003", "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]", - "analyticRuleVersion5": "1.0.0", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", + "analyticRuleVersion5": "1.0.1", "analyticRulecontentId5": "6303235a-ee70-42a4-b969-43e7b969b916", "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]", - "analyticRuleVersion6": "1.0.0", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", + "analyticRuleVersion6": "1.0.1", "analyticRulecontentId6": "cd94e078-67b7-11ec-90d6-0242ac120003", "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]", - "analyticRuleVersion7": "1.0.2", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", + "analyticRuleVersion7": "1.0.3", "analyticRulecontentId7": "e289d762-6cc2-11ec-90d6-0242ac120003", "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]", - "analyticRuleVersion8": "1.0.0", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", + "analyticRuleVersion8": "1.0.1", "analyticRulecontentId8": "1a87cd10-67b7-11ec-90d6-0242ac120003", "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]", - "analyticRuleVersion9": "1.0.0", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", + "analyticRuleVersion9": "1.0.1", "analyticRulecontentId9": "c92d9fe4-67b6-11ec-90d6-0242ac120003", "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]", - "analyticRuleVersion10": "1.0.0", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", + "analyticRuleVersion10": "1.0.1", "analyticRulecontentId10": "9e3dc038-67b7-11ec-90d6-0242ac120003", "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", "huntingQueryVersion1": "1.0.0", "huntingQuerycontentId1": "96451e96-67b5-11ec-90d6-0242ac120003", "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", + "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", "huntingQueryVersion2": "1.0.0", "huntingQuerycontentId2": "0caa3472-67b6-11ec-90d6-0242ac120003", "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", + "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", "huntingQueryVersion3": "1.0.0", "huntingQuerycontentId3": "14a4a824-67b6-11ec-90d6-0242ac120003", "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", + "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", "huntingQueryVersion4": "1.0.0", "huntingQuerycontentId4": "433ccdb0-67b6-11ec-90d6-0242ac120003", "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", + "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", "huntingQueryVersion5": "1.0.0", "huntingQuerycontentId5": "40d8ad3e-67b4-11ec-90d6-0242ac120003", "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", + "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", "huntingQueryVersion6": "1.0.0", "huntingQuerycontentId6": "6c7f9bfe-67b5-11ec-90d6-0242ac120003", "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]", + "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]", "huntingQueryVersion7": "1.0.0", "huntingQuerycontentId7": "be89944e-4e75-4d0a-b2d6-ae757d22ed43", "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]", "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]", + "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]", "huntingQueryVersion8": "1.0.0", "huntingQuerycontentId8": "506955be-648f-11ec-90d6-0242ac120003", "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]", "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]", + "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]", "huntingQueryVersion9": "1.0.0", "huntingQuerycontentId9": "7bf0f260-61a0-11ec-90d6-0242ac120003", "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]", "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]", - "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9')))]", + "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]", + "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]", "huntingQueryVersion10": "1.0.0", "huntingQuerycontentId10": "8bb86556-67b4-11ec-90d6-0242ac120003", "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]", "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]", - "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10')))]" + "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]", + "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Trend Micro Apex One data connector with template", - "displayName": "Trend Micro Apex One template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Trend Micro Apex One data connector with template version 2.0.3", + "description": "Trend Micro Apex One data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -209,7 +217,7 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Trend Micro Apex One", + "title": "[Deprecated] Trend Micro Apex One via Legacy Agent", "publisher": "Trend Micro", "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information.", "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.", @@ -332,7 +340,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -357,12 +365,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "[Deprecated] Trend Micro Apex One via Legacy Agent", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -398,7 +417,7 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "Trend Micro Apex One", + "title": "[Deprecated] Trend Micro Apex One via Legacy Agent", "publisher": "Trend Micro", "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information.", "graphQueries": [ @@ -521,74 +540,154 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('parserTemplateSpecName1')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, - "properties": { - "description": "TMApexOneEvent Data Parser with template", - "displayName": "TMApexOneEvent Data Parser template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneEvent Data Parser with template version 2.0.3", + "description": "Trend Micro Apex One data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserVersion1')]", + "contentVersion": "[variables('dataConnectorVersion2')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[variables('_parserName1')]", - "apiVersion": "2020-08-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", + "kind": "GenericUI", "properties": { - "eTag": "*", - "displayName": "Trend Micro Apex One Data Parser", - "category": "Samples", - "functionAlias": "TMApexOneEvent", - "query": "\nCommonSecurityLog\r\n| where DeviceVendor == \"Trend Micro\"\r\n| where DeviceProduct == \"Apex Central\"\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\r\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\r\n| extend packed = pack (DeviceCustomNumber1Label, DeviceCustomNumber1,\r\n DeviceCustomNumber2Label, DeviceCustomNumber2,\r\n DeviceCustomString1Label, DeviceCustomString1,\r\n DeviceCustomString2Label, DeviceCustomString2,\r\n DeviceCustomString3Label, DeviceCustomString3,\r\n DeviceCustomString4Label, DeviceCustomString4,\r\n DeviceCustomString5Label, DeviceCustomString5,\r\n DeviceCustomString6Label, DeviceCustomString6,\r\n DeviceCustomDate1Label, DeviceCustomDate1,\r\n DeviceCustomDate2Label, DeviceCustomDate2)\r\n| evaluate bag_unpack(packed)\r\n| project-rename EventVendor=DeviceVendor,\r\n EventProduct=DeviceProduct,\r\n EventProductVersion=DeviceVersion,\r\n EventSubType=DeviceEventClassID,\r\n EventMessage=Activity,\r\n EventSeverity=LogSeverity,\r\n EventOriginalUid=DeviceExternalID,\r\n EventEndTime=ReceiptTime,\r\n DstDvcHostname=DestinationHostName,\r\n DstIpAddr=DestinationIP,\r\n DstUserName=DestinationUserName,\r\n DstPortNumber=DestinationPort,\r\n DstServiceName=DestinationServiceName,\r\n SrcPortNumber=SourcePort,\r\n SrcIpAddr=SourceIP,\r\n SrcDvcHostname=SourceHostName,\r\n SrcServiceName=SourceServiceName,\r\n SrcUserName=SourceUserName,\r\n SrcProcessName=SourceProcessName,\r\n SrcMacAddr=SourceMACAddress,\r\n DvcAction=DeviceAction,\r\n DvcHostname=DeviceName,\r\n DvcProcessName=ProcessName,\r\n FileHashSha1=FileHash,\r\n UrlOriginal=RequestURL,\r\n NetworkDirection=CommunicationDirection\r\n| extend Command = iif(DeviceCustomString3Label == \"Command\", DeviceCustomString3, \"\")\r\n| extend ActionResult = iif(DeviceCustomString5Label == \"ActionResult\", DeviceCustomString5, \"\")\r\n| extend Event_Type = iif(DeviceCustomNumber2Label == \"Event_Type\", DeviceCustomNumber2, long(null))\r\n| extend VirusName = iif(DeviceCustomString1Label == \"VirusName\", DeviceCustomString1, \"\")\r\n| extend Policy = iif(DeviceCustomString2Label == \"Policy\", DeviceCustomString2, \"\")\r\n| extend ProcessCommandLine = iif(DeviceCustomString4Label == \"ProcessCommandLine\", DeviceCustomString4, \"\")\r\n| project-away DeviceCustomNumber1Label,\r\n DeviceCustomNumber1,\r\n DeviceCustomNumber2Label,\r\n DeviceCustomNumber2,\r\n DeviceCustomString1Label,\r\n DeviceCustomString1,\r\n DeviceCustomString2Label,\r\n DeviceCustomString2,\r\n DeviceCustomString3Label,\r\n DeviceCustomString3,\r\n DeviceCustomString4Label,\r\n DeviceCustomString4,\r\n DeviceCustomString5Label,\r\n DeviceCustomString5,\r\n DeviceCustomString6Label,\r\n DeviceCustomString6,\r\n DeviceCustomDate1Label,\r\n DeviceCustomDate1,\r\n DeviceCustomDate2Label,\r\n DeviceCustomDate2\r\n", - "version": 1, - "tags": [ - { - "name": "description", - "value": "Trend Micro Apex One Data Parser" - } - ] + "connectorUiConfig": { + "id": "[variables('_uiConfigId2')]", + "title": "[Recommended] Trend Micro Apex One via AMA", + "publisher": "Trend Micro", + "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information.", + "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "TrendMicroApexOne", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nTMApexOneEvent\n| sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (TrendMicroApexOne)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.", + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine", + "instructions": [] + }, + { + "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", + "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.", + "instructions": [] + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", - "dependsOn": [ - "[variables('_parserName1')]" - ], + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", - "kind": "Parser", - "version": "[variables('parserVersion1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", "source": { - "name": "Trend Micro Apex One", "kind": "Solution", + "name": "Trend Micro Apex One", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -604,36 +703,33 @@ } } ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2021-06-01", - "name": "[variables('_parserName1')]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Trend Micro Apex One Data Parser", - "category": "Samples", - "functionAlias": "TMApexOneEvent", - "query": "\nCommonSecurityLog\r\n| where DeviceVendor == \"Trend Micro\"\r\n| where DeviceProduct == \"Apex Central\"\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\r\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\r\n| extend packed = pack (DeviceCustomNumber1Label, DeviceCustomNumber1,\r\n DeviceCustomNumber2Label, DeviceCustomNumber2,\r\n DeviceCustomString1Label, DeviceCustomString1,\r\n DeviceCustomString2Label, DeviceCustomString2,\r\n DeviceCustomString3Label, DeviceCustomString3,\r\n DeviceCustomString4Label, DeviceCustomString4,\r\n DeviceCustomString5Label, DeviceCustomString5,\r\n DeviceCustomString6Label, DeviceCustomString6,\r\n DeviceCustomDate1Label, DeviceCustomDate1,\r\n DeviceCustomDate2Label, DeviceCustomDate2)\r\n| evaluate bag_unpack(packed)\r\n| project-rename EventVendor=DeviceVendor,\r\n EventProduct=DeviceProduct,\r\n EventProductVersion=DeviceVersion,\r\n EventSubType=DeviceEventClassID,\r\n EventMessage=Activity,\r\n EventSeverity=LogSeverity,\r\n EventOriginalUid=DeviceExternalID,\r\n EventEndTime=ReceiptTime,\r\n DstDvcHostname=DestinationHostName,\r\n DstIpAddr=DestinationIP,\r\n DstUserName=DestinationUserName,\r\n DstPortNumber=DestinationPort,\r\n DstServiceName=DestinationServiceName,\r\n SrcPortNumber=SourcePort,\r\n SrcIpAddr=SourceIP,\r\n SrcDvcHostname=SourceHostName,\r\n SrcServiceName=SourceServiceName,\r\n SrcUserName=SourceUserName,\r\n SrcProcessName=SourceProcessName,\r\n SrcMacAddr=SourceMACAddress,\r\n DvcAction=DeviceAction,\r\n DvcHostname=DeviceName,\r\n DvcProcessName=ProcessName,\r\n FileHashSha1=FileHash,\r\n UrlOriginal=RequestURL,\r\n NetworkDirection=CommunicationDirection\r\n| extend Command = iif(DeviceCustomString3Label == \"Command\", DeviceCustomString3, \"\")\r\n| extend ActionResult = iif(DeviceCustomString5Label == \"ActionResult\", DeviceCustomString5, \"\")\r\n| extend Event_Type = iif(DeviceCustomNumber2Label == \"Event_Type\", DeviceCustomNumber2, long(null))\r\n| extend VirusName = iif(DeviceCustomString1Label == \"VirusName\", DeviceCustomString1, \"\")\r\n| extend Policy = iif(DeviceCustomString2Label == \"Policy\", DeviceCustomString2, \"\")\r\n| extend ProcessCommandLine = iif(DeviceCustomString4Label == \"ProcessCommandLine\", DeviceCustomString4, \"\")\r\n| project-away DeviceCustomNumber1Label,\r\n DeviceCustomNumber1,\r\n DeviceCustomNumber2Label,\r\n DeviceCustomNumber2,\r\n DeviceCustomString1Label,\r\n DeviceCustomString1,\r\n DeviceCustomString2Label,\r\n DeviceCustomString2,\r\n DeviceCustomString3Label,\r\n DeviceCustomString3,\r\n DeviceCustomString4Label,\r\n DeviceCustomString4,\r\n DeviceCustomString5Label,\r\n DeviceCustomString5,\r\n DeviceCustomString6Label,\r\n DeviceCustomString6,\r\n DeviceCustomDate1Label,\r\n DeviceCustomDate1,\r\n DeviceCustomDate2Label,\r\n DeviceCustomDate2\r\n", - "version": 1 + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId2')]", + "contentKind": "DataConnector", + "displayName": "[Recommended] Trend Micro Apex One via AMA", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "dependsOn": [ - "[variables('_parserId1')]" + "[variables('_dataConnectorId2')]" ], + "location": "[parameters('workspace-location')]", "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", - "kind": "Parser", - "version": "[variables('parserVersion1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", "source": { "kind": "Solution", "name": "Trend Micro Apex One", @@ -652,33 +748,136 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('workbookTemplateSpecName1')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, + "kind": "GenericUI", "properties": { - "description": "Trend Micro Apex One Workbook with template", - "displayName": "Trend Micro Apex One workbook template" + "connectorUiConfig": { + "title": "[Recommended] Trend Micro Apex One via AMA", + "publisher": "Trend Micro", + "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "TrendMicroApexOne", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (TrendMicroApexOne)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nTMApexOneEvent\n| sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.", + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine", + "instructions": [] + }, + { + "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", + "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.", + "instructions": [] + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ], + "id": "[variables('_uiConfigId2')]", + "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution." + } } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TrendMicroApexOneWorkbook Workbook with template version 2.0.3", + "description": "TrendMicroApexOneWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -696,7 +895,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **TMApexOneEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-TMApexOneEvent-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where isnotempty(DstDvcHostname)\\r\\n| summarize dcount(DstDvcHostname)\",\"size\":3,\"title\":\"Devices\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\n| where isnotempty(SrcUserName)\\n| summarize dcount(SrcUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\n| where isnotempty(SrcProcessName)\\n| summarize dcount(SrcProcessName)\",\"size\":3,\"title\":\"Processes\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where EventMessage has \\\"Endpoint Application Control\\\"\\r\\n | where DvcAction has \\\"blocked\\\"\\r\\n | count\",\"size\":3,\"title\":\"Blocked applications\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"customWidth\":\"30\",\"name\":\"group - 15\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | extend EventType = case(\\r\\n EventMessage == \\\"7\\\", \\\"Web Security\\\", \\r\\n EventMessage == \\\"virusa\\\", \\\"Predictive Machine Learning\\\",\\r\\n EventMessage == \\\"Attack Discovery Detections\\\", \\\"Attack Discovery Detection\\\", \\r\\n EventMessage == \\\"Behavior Monitoring\\\", \\\"Behavior Monitoring\\\",\\r\\n EventMessage == \\\"CnC Callback\\\", \\\"C&C Callback\\\", \\r\\n EventMessage == \\\"This is a policy name\\\", \\\"Policy name\\\",\\r\\n EventMessage == \\\"Data Loss Prevention\\\", \\\"Data Loss Prevention\\\", \\r\\n EventMessage == \\\"Device Access Control\\\", \\\"Device Access Control\\\",\\r\\n EventMessage == \\\"Endpoint Application Control Violation Information\\\", \\\"Endpoint Application Control\\\", \\r\\n EventMessage == \\\"Engine Update Status\\\", \\\"Engine Update Status\\\",\\r\\n EventMessage == \\\"Managed Product Logon/Logoff Events\\\", \\\"Managed Product Logon/Logoff Events\\\", \\r\\n EventMessage == \\\"Suspicious Connection\\\", \\\"Suspicious Connection\\\",\\r\\n EventMessage == \\\"Pattern Update Status\\\", \\\"Pattern Update Status\\\", \\r\\n EventMessage == \\\"VAN_RANSOMWARE.umxxhelloransom_abc\\\", \\\"Sandbox Detection\\\",\\r\\n EventMessage == \\\"Spyware Detected\\\", \\\"Spyware Detected\\\", \\r\\n EventMessage == \\\"JS_EXPLOIT.SMDN\\\", \\\"Virus/Malware Detected\\\",\\r\\n EventMessage == \\\"Suspicious Files\\\", \\\"Suspicious Files\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize count() by EventType\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where isnotempty(ApplicationProtocol)\\r\\n | extend AppProtocol = case(\\r\\n ApplicationProtocol == \\\"0\\\", \\\"Unknown\\\", \\r\\n ApplicationProtocol == \\\"1\\\", \\\"SMTP\\\",\\r\\n ApplicationProtocol == \\\"2\\\", \\\"POP3\\\",\\r\\n ApplicationProtocol == \\\"3\\\", \\\"IRC\\\", \\r\\n ApplicationProtocol == \\\"4\\\", \\\"DNS Response\\\",\\r\\n ApplicationProtocol == \\\"5\\\", \\\"HTTP\\\",\\r\\n ApplicationProtocol == \\\"6\\\", \\\"FTP\\\", \\r\\n ApplicationProtocol == \\\"7\\\", \\\"TFTP\\\",\\r\\n ApplicationProtocol == \\\"8\\\", \\\"SMB\\\",\\r\\n ApplicationProtocol == \\\"9\\\", \\\"Windows Live Messenger (MSN)\\\", \\r\\n ApplicationProtocol == \\\"10\\\", \\\"AIM\\\",\\r\\n ApplicationProtocol == \\\"11\\\", \\\"Yahoo! Messenger\\\",\\r\\n ApplicationProtocol == \\\"12\\\", \\\"Gmail\\\",\\r\\n ApplicationProtocol == \\\"13\\\", \\\"Yahoo! Mail\\\", \\r\\n ApplicationProtocol == \\\"14\\\", \\\"Windows Live Hotmail\\\",\\r\\n ApplicationProtocol == \\\"15\\\", \\\"RDP\\\",\\r\\n ApplicationProtocol == \\\"16\\\", \\\"DHCP\\\",\\r\\n ApplicationProtocol == \\\"17\\\", \\\"Telnet\\\", \\r\\n ApplicationProtocol == \\\"18\\\", \\\"LDAP\\\",\\r\\n ApplicationProtocol == \\\"19\\\", \\\"File transfer\\\",\\r\\n ApplicationProtocol == \\\"20\\\", \\\"SSH\\\",\\r\\n ApplicationProtocol == \\\"21\\\", \\\"Dameware\\\", \\r\\n ApplicationProtocol == \\\"22\\\", \\\"VNC\\\",\\r\\n ApplicationProtocol == \\\"23\\\", \\\"Cisco Telnet\\\",\\r\\n ApplicationProtocol == \\\"24\\\", \\\"Kerberos\\\", \\r\\n ApplicationProtocol == \\\"25\\\", \\\"DCE RPC\\\",\\r\\n ApplicationProtocol == \\\"26\\\", \\\"SQL\\\",\\r\\n ApplicationProtocol == \\\"27\\\", \\\"pcAnywhere\\\", \\r\\n ApplicationProtocol == \\\"28\\\", \\\"ICMP\\\",\\r\\n ApplicationProtocol == \\\"29\\\", \\\"SNMP\\\",\\r\\n ApplicationProtocol == \\\"30\\\", \\\"Virus pattern TCP\\\", \\r\\n ApplicationProtocol == \\\"31\\\", \\\"Virus pattern UDP\\\",\\r\\n ApplicationProtocol == \\\"32\\\", \\\"HTTPS\\\",\\r\\n ApplicationProtocol == \\\"33\\\", \\\"SMB2\\\",\\r\\n ApplicationProtocol == \\\"34\\\", \\\"MMS\\\", \\r\\n ApplicationProtocol == \\\"35\\\", \\\"IMAP4\\\",\\r\\n ApplicationProtocol == \\\"36\\\", \\\"RADIUS\\\",\\r\\n ApplicationProtocol == \\\"37\\\", \\\"Radmin\\\",\\r\\n ApplicationProtocol == \\\"38\\\", \\\"FTP_Response\\\", \\r\\n ApplicationProtocol == \\\"48\\\", \\\"RTSP/RTP-UDP\\\",\\r\\n ApplicationProtocol == \\\"49\\\", \\\"RTSP/RTP-TCP\\\",\\r\\n ApplicationProtocol == \\\"50\\\", \\\"RTSP/RDT-UDP\\\",\\r\\n ApplicationProtocol == \\\"51\\\", \\\"RTSP/RDT-TCP\\\",\\r\\n ApplicationProtocol == \\\"52\\\", \\\"WMSP\\\",\\r\\n ApplicationProtocol == \\\"53\\\", \\\"SHOUTCast\\\", \\r\\n ApplicationProtocol == \\\"54\\\", \\\"RTMP\\\",\\r\\n ApplicationProtocol == \\\"68\\\", \\\"DNS Request\\\",\\r\\n ApplicationProtocol == \\\"256\\\", \\\"BitTorrent\\\", \\r\\n ApplicationProtocol == \\\"257\\\", \\\"Kazaa\\\",\\r\\n ApplicationProtocol == \\\"258\\\", \\\"Limewire\\\",\\r\\n ApplicationProtocol == \\\"259\\\", \\\"Bearshare\\\", \\r\\n ApplicationProtocol == \\\"260\\\", \\\"Bluester\\\",\\r\\n ApplicationProtocol == \\\"261\\\", \\\"Edonkey emule\\\",\\r\\n ApplicationProtocol == \\\"262\\\", \\\"Edonkey2000\\\",\\r\\n ApplicationProtocol == \\\"263\\\", \\\"Filezilla\\\", \\r\\n ApplicationProtocol == \\\"264\\\", \\\"Guncleus\\\",\\r\\n ApplicationProtocol == \\\"265\\\", \\\"Gnutella\\\",\\r\\n ApplicationProtocol == \\\"266\\\", \\\"Winny\\\",\\r\\n ApplicationProtocol == \\\"267\\\", \\\"Napster\\\", \\r\\n ApplicationProtocol == \\\"268\\\", \\\"Morpheus\\\",\\r\\n ApplicationProtocol == \\\"269\\\", \\\"Napster\\\",\\r\\n ApplicationProtocol == \\\"270\\\", \\\"Shareaza\\\",\\r\\n ApplicationProtocol == \\\"271\\\", \\\"WinMX\\\", \\r\\n ApplicationProtocol == \\\"272\\\", \\\"Mldonkey\\\",\\r\\n ApplicationProtocol == \\\"273\\\", \\\"Direct Connect\\\",\\r\\n ApplicationProtocol == \\\"274\\\", \\\"Soulseek\\\", \\r\\n ApplicationProtocol == \\\"275\\\", \\\"OpenAP\\\",\\r\\n ApplicationProtocol == \\\"276\\\", \\\"Kuro\\\",\\r\\n ApplicationProtocol == \\\"277\\\", \\\"Imesh\\\", \\r\\n ApplicationProtocol == \\\"278\\\", \\\"Skype\\\",\\r\\n ApplicationProtocol == \\\"279\\\", \\\"Google Talk\\\",\\r\\n ApplicationProtocol == \\\"317\\\", \\\"Cabos\\\", \\r\\n ApplicationProtocol == \\\"318\\\", \\\"Zultrax\\\",\\r\\n ApplicationProtocol == \\\"319\\\", \\\"Foxy\\\",\\r\\n ApplicationProtocol == \\\"320\\\", \\\"eDonkey\\\",\\r\\n ApplicationProtocol == \\\"321\\\", \\\"Ares\\\", \\r\\n ApplicationProtocol == \\\"322\\\", \\\"Miranda\\\",\\r\\n ApplicationProtocol == \\\"323\\\", \\\"Kceasy\\\",\\r\\n ApplicationProtocol == \\\"324\\\", \\\"MoodAmp\\\",\\r\\n ApplicationProtocol == \\\"325\\\", \\\"Deepnet Explorer\\\", \\r\\n ApplicationProtocol == \\\"326\\\", \\\"FreeWire\\\",\\r\\n ApplicationProtocol == \\\"327\\\", \\\"Gimme\\\",\\r\\n ApplicationProtocol == \\\"328\\\", \\\"GnucDNA GWebCache\\\",\\r\\n ApplicationProtocol == \\\"329\\\", \\\"Jubster\\\",\\r\\n ApplicationProtocol == \\\"330\\\", \\\"MyNapster\\\", \\r\\n ApplicationProtocol == \\\"331\\\", \\\"Nova GWebCache\\\",\\r\\n ApplicationProtocol == \\\"332\\\", \\\"Swapper GWebCache\\\",\\r\\n ApplicationProtocol == \\\"333\\\", \\\"Xnap\\\",\\r\\n ApplicationProtocol == \\\"334\\\", \\\"Xolox\\\", \\r\\n ApplicationProtocol == \\\"335\\\", \\\"Ppstream\\\",\\r\\n ApplicationProtocol == \\\"640\\\", \\\"AIM Express\\\",\\r\\n ApplicationProtocol == \\\"641\\\", \\\"Chikka SMS Messenger\\\",\\r\\n ApplicationProtocol == \\\"642\\\", \\\"eBuddy\\\", \\r\\n ApplicationProtocol == \\\"643\\\", \\\"ICQ2Go\\\",\\r\\n ApplicationProtocol == \\\"644\\\", \\\"ILoveIM Web Messenger\\\",\\r\\n ApplicationProtocol == \\\"645\\\", \\\"IMUnitive\\\",\\r\\n ApplicationProtocol == \\\"646\\\", \\\"Mabber\\\",\\r\\n ApplicationProtocol == \\\"647\\\", \\\"Meebo\\\",\\r\\n ApplicationProtocol == \\\"648\\\", \\\"Yahoo! Web Messenger\\\", \\r\\n ApplicationProtocol == \\\"848\\\", \\\"SIP2\\\",\\r\\n ApplicationProtocol == \\\"1024\\\", \\\"GPass\\\",\\r\\n ApplicationProtocol == \\\"10001\\\", \\\"IP\\\",\\r\\n ApplicationProtocol == \\\"10002\\\", \\\"ARP\\\",\\r\\n ApplicationProtocol == \\\"10003\\\", \\\"TCP\\\", \\r\\n ApplicationProtocol == \\\"10004\\\", \\\"UDP\\\",\\r\\n ApplicationProtocol == \\\"10005\\\", \\\"IGMP\\\",\\r\\n ApplicationProtocol == \\\"60\\\", \\\"ORACLE\\\", \\r\\n ApplicationProtocol == \\\"44\\\", \\\"MySQL\\\",\\r\\n ApplicationProtocol == \\\"520\\\", \\\"MSSQL\\\",\\r\\n ApplicationProtocol == \\\"337\\\", \\\"Postgres\\\", \\r\\n ApplicationProtocol == \\\"41\\\", \\\"ICMPv6\\\",\\r\\n ApplicationProtocol == \\\"10006\\\", \\\"GGP\\\",\\r\\n ApplicationProtocol == \\\"10007\\\", \\\"PUP\\\",\\r\\n ApplicationProtocol == \\\"10008\\\", \\\"IDP\\\", \\r\\n ApplicationProtocol == \\\"10009\\\", \\\"ND\\\",\\r\\n ApplicationProtocol == \\\"10010\\\", \\\"RAW\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize ProtocolCount = count() by AppProtocol\",\"size\":3,\"title\":\"Network protocols\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"45\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where EventMessage has \\\"CnC Callback\\\" \\r\\n| project EventEndTime, SrcIpAddr, DstIpAddr\\r\\n\",\"size\":0,\"title\":\"CnC connections\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 15\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where EventMessage has \\\"Endpoint Application Control\\\"\\r\\n| where DvcAction has \\\"Blocked\\\"\\r\\n| project EventEndTime, Application = FileName, SrcUserName\\r\\n\",\"size\":0,\"title\":\"Blocked applications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 13\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where isnotempty(FileName)\\r\\n | extend File = strcat(FilePath, FileName)\\r\\n | summarize count() by File\\r\\n | sort by count_ desc \",\"size\":0,\"title\":\"Suspicious files\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| sort by TimeGenerated desc \\r\\n| where EventMessage !in~ (\\\"Engine Update Statusd\\\", \\\"Pattern Update Status\\\")\\r\\n| project EventEndTime, Module=EventMessage, FileName \",\"size\":0,\"title\":\"Latest detections\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"55\",\"name\":\"query - 11\",\"styleSettings\":{\"maxWidth\":\"80\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where EventMessage has \\\"Data Loss Prevention\\\"\\r\\n | extend DeviceCustomNumber3 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber3\\\", long(null)),DeviceCustomNumber3)\\r\\n | where isnotempty(DeviceCustomNumber3)\\r\\n | extend Channel_Type = case(\\r\\n DeviceCustomNumber3 == \\\"65535\\\", \\\"Not available\\\",\\r\\n DeviceCustomNumber3 == \\\"0\\\", \\\"Removable storage\\\", \\r\\n DeviceCustomNumber3 == \\\"1\\\", \\\"SMB\\\",\\r\\n DeviceCustomNumber3 == \\\"2\\\", \\\"Email\\\",\\r\\n DeviceCustomNumber3 == \\\"3\\\", \\\"IM\\\", \\r\\n DeviceCustomNumber3 == \\\"4\\\", \\\"FTP\\\",\\r\\n DeviceCustomNumber3 == \\\"5\\\", \\\"HTTP\\\",\\r\\n DeviceCustomNumber3 == \\\"6\\\", \\\"HTTPS\\\", \\r\\n DeviceCustomNumber3 == \\\"7\\\", \\\"PGP\\\",\\r\\n DeviceCustomNumber3 == \\\"8\\\", \\\"Data recorders\\\",\\r\\n DeviceCustomNumber3 == \\\"9\\\", \\\"Printer\\\", \\r\\n DeviceCustomNumber3 == \\\"10\\\", \\\"Clipboard\\\",\\r\\n DeviceCustomNumber3 == \\\"11\\\", \\\"Sync\\\",\\r\\n DeviceCustomNumber3 == \\\"12\\\", \\\"P2P\\\",\\r\\n DeviceCustomNumber3 == \\\"13\\\", \\\"Webmail\\\", \\r\\n DeviceCustomNumber3 == \\\"14\\\", \\\"Document management\\\",\\r\\n DeviceCustomNumber3 == \\\"15\\\", \\\"Cloud storage\\\",\\r\\n DeviceCustomNumber3 == \\\"121\\\", \\\"SMTP email\\\",\\r\\n DeviceCustomNumber3 == \\\"122\\\", \\\"Exchange Client Mail\\\", \\r\\n DeviceCustomNumber3 == \\\"123\\\", \\\"Lotus Note Email\\\",\\r\\n DeviceCustomNumber3 == \\\"130\\\", \\\"Webmail (Yahoo! Mail)\\\",\\r\\n DeviceCustomNumber3 == \\\"131\\\", \\\"Webmail (Hotmail)\\\",\\r\\n DeviceCustomNumber3 == \\\"132\\\", \\\"Webmail (Gmail)\\\",\\r\\n DeviceCustomNumber3 == \\\"133\\\", \\\"Webmail (AOL Mail)\\\",\\r\\n DeviceCustomNumber3 == \\\"140\\\", \\\"IM (MSN)\\\",\\r\\n DeviceCustomNumber3 == \\\"141\\\", \\\"IM (AIM)\\\",\\r\\n DeviceCustomNumber3 == \\\"142\\\", \\\"IM (Yahoo Messenger)\\\",\\r\\n DeviceCustomNumber3 == \\\"143\\\", \\\"IM (Skype)\\\",\\r\\n DeviceCustomNumber3 == \\\"191\\\", \\\"P2P (BitTorrent)\\\",\\r\\n DeviceCustomNumber3 == \\\"192\\\", \\\"P2P (EMule)\\\",\\r\\n DeviceCustomNumber3 == \\\"193\\\", \\\"P2P (Winny)\\\",\\r\\n DeviceCustomNumber3 == \\\"194\\\", \\\"P2P (HTCSYN)\\\",\\r\\n DeviceCustomNumber3 == \\\"195\\\", \\\"P2P (iTunes)\\\",\\r\\n DeviceCustomNumber3 == \\\"196\\\", \\\"Cloud storage (DropBox)\\\",\\r\\n DeviceCustomNumber3 == \\\"197\\\", \\\"Cloud storage (Box)\\\",\\r\\n DeviceCustomNumber3 == \\\"198\\\", \\\"Cloud storage (Google Drive)\\\",\\r\\n DeviceCustomNumber3 == \\\"199\\\", \\\"Cloud storage (OneDrive)\\\",\\r\\n DeviceCustomNumber3 == \\\"200\\\", \\\"Cloud storage (SugarSync)\\\",\\r\\n DeviceCustomNumber3 == \\\"201\\\", \\\"Cloud storage (Hightail)\\\",\\r\\n DeviceCustomNumber3 == \\\"202\\\", \\\"IM (QQ)\\\",\\r\\n DeviceCustomNumber3 == \\\"203\\\", \\\"Webmail (other)\\\",\\r\\n DeviceCustomNumber3 == \\\"204\\\", \\\"Cloud storage (Evernote)\\\",\\r\\n DeviceCustomNumber3 == \\\"211\\\", \\\"Document management (SharePoint)\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize ChannelType = count() by Channel_Type\",\"size\":3,\"title\":\"Channel types\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"name\":\"query - 9\"}],\"fromTemplateId\":\"sentinel-TrendMicroApexOneWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **TMApexOneEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-TMApexOneEvent-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where isnotempty(DstDvcHostname)\\r\\n| summarize dcount(DstDvcHostname)\",\"size\":3,\"title\":\"Devices\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\n| where isnotempty(SrcUserName)\\n| summarize dcount(SrcUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\n| where isnotempty(SrcProcessName)\\n| summarize dcount(SrcProcessName)\",\"size\":3,\"title\":\"Processes\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where EventMessage has \\\"Endpoint Application Control\\\"\\r\\n | where DvcAction has \\\"blocked\\\"\\r\\n | count\",\"size\":3,\"title\":\"Blocked applications\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"customWidth\":\"30\",\"name\":\"group - 15\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | extend EventType = case(\\r\\n EventMessage == \\\"7\\\", \\\"Web Security\\\", \\r\\n EventMessage == \\\"virusa\\\", \\\"Predictive Machine Learning\\\",\\r\\n EventMessage == \\\"Attack Discovery Detections\\\", \\\"Attack Discovery Detection\\\", \\r\\n EventMessage == \\\"Behavior Monitoring\\\", \\\"Behavior Monitoring\\\",\\r\\n EventMessage == \\\"CnC Callback\\\", \\\"C&C Callback\\\", \\r\\n EventMessage == \\\"This is a policy name\\\", \\\"Policy name\\\",\\r\\n EventMessage == \\\"Data Loss Prevention\\\", \\\"Data Loss Prevention\\\", \\r\\n EventMessage == \\\"Device Access Control\\\", \\\"Device Access Control\\\",\\r\\n EventMessage == \\\"Endpoint Application Control Violation Information\\\", \\\"Endpoint Application Control\\\", \\r\\n EventMessage == \\\"Engine Update Status\\\", \\\"Engine Update Status\\\",\\r\\n EventMessage == \\\"Managed Product Logon/Logoff Events\\\", \\\"Managed Product Logon/Logoff Events\\\", \\r\\n EventMessage == \\\"Suspicious Connection\\\", \\\"Suspicious Connection\\\",\\r\\n EventMessage == \\\"Pattern Update Status\\\", \\\"Pattern Update Status\\\", \\r\\n EventMessage == \\\"VAN_RANSOMWARE.umxxhelloransom_abc\\\", \\\"Sandbox Detection\\\",\\r\\n EventMessage == \\\"Spyware Detected\\\", \\\"Spyware Detected\\\", \\r\\n EventMessage == \\\"JS_EXPLOIT.SMDN\\\", \\\"Virus/Malware Detected\\\",\\r\\n EventMessage == \\\"Suspicious Files\\\", \\\"Suspicious Files\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize count() by EventType\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where isnotempty(ApplicationProtocol)\\r\\n | extend AppProtocol = case(\\r\\n ApplicationProtocol == \\\"0\\\", \\\"Unknown\\\", \\r\\n ApplicationProtocol == \\\"1\\\", \\\"SMTP\\\",\\r\\n ApplicationProtocol == \\\"2\\\", \\\"POP3\\\",\\r\\n ApplicationProtocol == \\\"3\\\", \\\"IRC\\\", \\r\\n ApplicationProtocol == \\\"4\\\", \\\"DNS Response\\\",\\r\\n ApplicationProtocol == \\\"5\\\", \\\"HTTP\\\",\\r\\n ApplicationProtocol == \\\"6\\\", \\\"FTP\\\", \\r\\n ApplicationProtocol == \\\"7\\\", \\\"TFTP\\\",\\r\\n ApplicationProtocol == \\\"8\\\", \\\"SMB\\\",\\r\\n ApplicationProtocol == \\\"9\\\", \\\"Windows Live Messenger (MSN)\\\", \\r\\n ApplicationProtocol == \\\"10\\\", \\\"AIM\\\",\\r\\n ApplicationProtocol == \\\"11\\\", \\\"Yahoo! Messenger\\\",\\r\\n ApplicationProtocol == \\\"12\\\", \\\"Gmail\\\",\\r\\n ApplicationProtocol == \\\"13\\\", \\\"Yahoo! Mail\\\", \\r\\n ApplicationProtocol == \\\"14\\\", \\\"Windows Live Hotmail\\\",\\r\\n ApplicationProtocol == \\\"15\\\", \\\"RDP\\\",\\r\\n ApplicationProtocol == \\\"16\\\", \\\"DHCP\\\",\\r\\n ApplicationProtocol == \\\"17\\\", \\\"Telnet\\\", \\r\\n ApplicationProtocol == \\\"18\\\", \\\"LDAP\\\",\\r\\n ApplicationProtocol == \\\"19\\\", \\\"File transfer\\\",\\r\\n ApplicationProtocol == \\\"20\\\", \\\"SSH\\\",\\r\\n ApplicationProtocol == \\\"21\\\", \\\"Dameware\\\", \\r\\n ApplicationProtocol == \\\"22\\\", \\\"VNC\\\",\\r\\n ApplicationProtocol == \\\"23\\\", \\\"Cisco Telnet\\\",\\r\\n ApplicationProtocol == \\\"24\\\", \\\"Kerberos\\\", \\r\\n ApplicationProtocol == \\\"25\\\", \\\"DCE RPC\\\",\\r\\n ApplicationProtocol == \\\"26\\\", \\\"SQL\\\",\\r\\n ApplicationProtocol == \\\"27\\\", \\\"pcAnywhere\\\", \\r\\n ApplicationProtocol == \\\"28\\\", \\\"ICMP\\\",\\r\\n ApplicationProtocol == \\\"29\\\", \\\"SNMP\\\",\\r\\n ApplicationProtocol == \\\"30\\\", \\\"Virus pattern TCP\\\", \\r\\n ApplicationProtocol == \\\"31\\\", \\\"Virus pattern UDP\\\",\\r\\n ApplicationProtocol == \\\"32\\\", \\\"HTTPS\\\",\\r\\n ApplicationProtocol == \\\"33\\\", \\\"SMB2\\\",\\r\\n ApplicationProtocol == \\\"34\\\", \\\"MMS\\\", \\r\\n ApplicationProtocol == \\\"35\\\", \\\"IMAP4\\\",\\r\\n ApplicationProtocol == \\\"36\\\", \\\"RADIUS\\\",\\r\\n ApplicationProtocol == \\\"37\\\", \\\"Radmin\\\",\\r\\n ApplicationProtocol == \\\"38\\\", \\\"FTP_Response\\\", \\r\\n ApplicationProtocol == \\\"48\\\", \\\"RTSP/RTP-UDP\\\",\\r\\n ApplicationProtocol == \\\"49\\\", \\\"RTSP/RTP-TCP\\\",\\r\\n ApplicationProtocol == \\\"50\\\", \\\"RTSP/RDT-UDP\\\",\\r\\n ApplicationProtocol == \\\"51\\\", \\\"RTSP/RDT-TCP\\\",\\r\\n ApplicationProtocol == \\\"52\\\", \\\"WMSP\\\",\\r\\n ApplicationProtocol == \\\"53\\\", \\\"SHOUTCast\\\", \\r\\n ApplicationProtocol == \\\"54\\\", \\\"RTMP\\\",\\r\\n ApplicationProtocol == \\\"68\\\", \\\"DNS Request\\\",\\r\\n ApplicationProtocol == \\\"256\\\", \\\"BitTorrent\\\", \\r\\n ApplicationProtocol == \\\"257\\\", \\\"Kazaa\\\",\\r\\n ApplicationProtocol == \\\"258\\\", \\\"Limewire\\\",\\r\\n ApplicationProtocol == \\\"259\\\", \\\"Bearshare\\\", \\r\\n ApplicationProtocol == \\\"260\\\", \\\"Bluester\\\",\\r\\n ApplicationProtocol == \\\"261\\\", \\\"Edonkey emule\\\",\\r\\n ApplicationProtocol == \\\"262\\\", \\\"Edonkey2000\\\",\\r\\n ApplicationProtocol == \\\"263\\\", \\\"Filezilla\\\", \\r\\n ApplicationProtocol == \\\"264\\\", \\\"Guncleus\\\",\\r\\n ApplicationProtocol == \\\"265\\\", \\\"Gnutella\\\",\\r\\n ApplicationProtocol == \\\"266\\\", \\\"Winny\\\",\\r\\n ApplicationProtocol == \\\"267\\\", \\\"Napster\\\", \\r\\n ApplicationProtocol == \\\"268\\\", \\\"Morpheus\\\",\\r\\n ApplicationProtocol == \\\"269\\\", \\\"Napster\\\",\\r\\n ApplicationProtocol == \\\"270\\\", \\\"Shareaza\\\",\\r\\n ApplicationProtocol == \\\"271\\\", \\\"WinMX\\\", \\r\\n ApplicationProtocol == \\\"272\\\", \\\"Mldonkey\\\",\\r\\n ApplicationProtocol == \\\"273\\\", \\\"Direct Connect\\\",\\r\\n ApplicationProtocol == \\\"274\\\", \\\"Soulseek\\\", \\r\\n ApplicationProtocol == \\\"275\\\", \\\"OpenAP\\\",\\r\\n ApplicationProtocol == \\\"276\\\", \\\"Kuro\\\",\\r\\n ApplicationProtocol == \\\"277\\\", \\\"Imesh\\\", \\r\\n ApplicationProtocol == \\\"278\\\", \\\"Skype\\\",\\r\\n ApplicationProtocol == \\\"279\\\", \\\"Google Talk\\\",\\r\\n ApplicationProtocol == \\\"317\\\", \\\"Cabos\\\", \\r\\n ApplicationProtocol == \\\"318\\\", \\\"Zultrax\\\",\\r\\n ApplicationProtocol == \\\"319\\\", \\\"Foxy\\\",\\r\\n ApplicationProtocol == \\\"320\\\", \\\"eDonkey\\\",\\r\\n ApplicationProtocol == \\\"321\\\", \\\"Ares\\\", \\r\\n ApplicationProtocol == \\\"322\\\", \\\"Miranda\\\",\\r\\n ApplicationProtocol == \\\"323\\\", \\\"Kceasy\\\",\\r\\n ApplicationProtocol == \\\"324\\\", \\\"MoodAmp\\\",\\r\\n ApplicationProtocol == \\\"325\\\", \\\"Deepnet Explorer\\\", \\r\\n ApplicationProtocol == \\\"326\\\", \\\"FreeWire\\\",\\r\\n ApplicationProtocol == \\\"327\\\", \\\"Gimme\\\",\\r\\n ApplicationProtocol == \\\"328\\\", \\\"GnucDNA GWebCache\\\",\\r\\n ApplicationProtocol == \\\"329\\\", \\\"Jubster\\\",\\r\\n ApplicationProtocol == \\\"330\\\", \\\"MyNapster\\\", \\r\\n ApplicationProtocol == \\\"331\\\", \\\"Nova GWebCache\\\",\\r\\n ApplicationProtocol == \\\"332\\\", \\\"Swapper GWebCache\\\",\\r\\n ApplicationProtocol == \\\"333\\\", \\\"Xnap\\\",\\r\\n ApplicationProtocol == \\\"334\\\", \\\"Xolox\\\", \\r\\n ApplicationProtocol == \\\"335\\\", \\\"Ppstream\\\",\\r\\n ApplicationProtocol == \\\"640\\\", \\\"AIM Express\\\",\\r\\n ApplicationProtocol == \\\"641\\\", \\\"Chikka SMS Messenger\\\",\\r\\n ApplicationProtocol == \\\"642\\\", \\\"eBuddy\\\", \\r\\n ApplicationProtocol == \\\"643\\\", \\\"ICQ2Go\\\",\\r\\n ApplicationProtocol == \\\"644\\\", \\\"ILoveIM Web Messenger\\\",\\r\\n ApplicationProtocol == \\\"645\\\", \\\"IMUnitive\\\",\\r\\n ApplicationProtocol == \\\"646\\\", \\\"Mabber\\\",\\r\\n ApplicationProtocol == \\\"647\\\", \\\"Meebo\\\",\\r\\n ApplicationProtocol == \\\"648\\\", \\\"Yahoo! Web Messenger\\\", \\r\\n ApplicationProtocol == \\\"848\\\", \\\"SIP2\\\",\\r\\n ApplicationProtocol == \\\"1024\\\", \\\"GPass\\\",\\r\\n ApplicationProtocol == \\\"10001\\\", \\\"IP\\\",\\r\\n ApplicationProtocol == \\\"10002\\\", \\\"ARP\\\",\\r\\n ApplicationProtocol == \\\"10003\\\", \\\"TCP\\\", \\r\\n ApplicationProtocol == \\\"10004\\\", \\\"UDP\\\",\\r\\n ApplicationProtocol == \\\"10005\\\", \\\"IGMP\\\",\\r\\n ApplicationProtocol == \\\"60\\\", \\\"ORACLE\\\", \\r\\n ApplicationProtocol == \\\"44\\\", \\\"MySQL\\\",\\r\\n ApplicationProtocol == \\\"520\\\", \\\"MSSQL\\\",\\r\\n ApplicationProtocol == \\\"337\\\", \\\"Postgres\\\", \\r\\n ApplicationProtocol == \\\"41\\\", \\\"ICMPv6\\\",\\r\\n ApplicationProtocol == \\\"10006\\\", \\\"GGP\\\",\\r\\n ApplicationProtocol == \\\"10007\\\", \\\"PUP\\\",\\r\\n ApplicationProtocol == \\\"10008\\\", \\\"IDP\\\", \\r\\n ApplicationProtocol == \\\"10009\\\", \\\"ND\\\",\\r\\n ApplicationProtocol == \\\"10010\\\", \\\"RAW\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize ProtocolCount = count() by AppProtocol\",\"size\":3,\"title\":\"Network protocols\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"45\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where EventMessage has \\\"CnC Callback\\\" \\r\\n| project EventEndTime, SrcIpAddr, DstIpAddr\\r\\n\",\"size\":0,\"title\":\"CnC connections\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 15\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where EventMessage has \\\"Endpoint Application Control\\\"\\r\\n| where DvcAction has \\\"Blocked\\\"\\r\\n| project EventEndTime, Application = FileName, SrcUserName\\r\\n\",\"size\":0,\"title\":\"Blocked applications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 13\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where isnotempty(FileName)\\r\\n | extend File = strcat(FilePath, FileName)\\r\\n | summarize count() by File\\r\\n | sort by count_ desc \",\"size\":0,\"title\":\"Suspicious files\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| sort by TimeGenerated desc \\r\\n| where EventMessage !in~ (\\\"Engine Update Statusd\\\", \\\"Pattern Update Status\\\")\\r\\n| project EventEndTime, Module=EventMessage, FileName \",\"size\":0,\"title\":\"Latest detections\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"55\",\"name\":\"query - 11\",\"styleSettings\":{\"maxWidth\":\"80\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where EventMessage has \\\"Data Loss Prevention\\\"\\r\\n | extend DeviceCustomNumber3 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber3\\\", long(null)),DeviceCustomNumber3)\\r\\n | where isnotempty(DeviceCustomNumber3)\\r\\n | extend Channel_Type = case(\\r\\n DeviceCustomNumber3 == \\\"65535\\\", \\\"Not available\\\",\\r\\n DeviceCustomNumber3 == \\\"0\\\", \\\"Removable storage\\\", \\r\\n DeviceCustomNumber3 == \\\"1\\\", \\\"SMB\\\",\\r\\n DeviceCustomNumber3 == \\\"2\\\", \\\"Email\\\",\\r\\n DeviceCustomNumber3 == \\\"3\\\", \\\"IM\\\", \\r\\n DeviceCustomNumber3 == \\\"4\\\", \\\"FTP\\\",\\r\\n DeviceCustomNumber3 == \\\"5\\\", \\\"HTTP\\\",\\r\\n DeviceCustomNumber3 == \\\"6\\\", \\\"HTTPS\\\", \\r\\n DeviceCustomNumber3 == \\\"7\\\", \\\"PGP\\\",\\r\\n DeviceCustomNumber3 == \\\"8\\\", \\\"Data recorders\\\",\\r\\n DeviceCustomNumber3 == \\\"9\\\", \\\"Printer\\\", \\r\\n DeviceCustomNumber3 == \\\"10\\\", \\\"Clipboard\\\",\\r\\n DeviceCustomNumber3 == \\\"11\\\", \\\"Sync\\\",\\r\\n DeviceCustomNumber3 == \\\"12\\\", \\\"P2P\\\",\\r\\n DeviceCustomNumber3 == \\\"13\\\", \\\"Webmail\\\", \\r\\n DeviceCustomNumber3 == \\\"14\\\", \\\"Document management\\\",\\r\\n DeviceCustomNumber3 == \\\"15\\\", \\\"Cloud storage\\\",\\r\\n DeviceCustomNumber3 == \\\"121\\\", \\\"SMTP email\\\",\\r\\n DeviceCustomNumber3 == \\\"122\\\", \\\"Exchange Client Mail\\\", \\r\\n DeviceCustomNumber3 == \\\"123\\\", \\\"Lotus Note Email\\\",\\r\\n DeviceCustomNumber3 == \\\"130\\\", \\\"Webmail (Yahoo! Mail)\\\",\\r\\n DeviceCustomNumber3 == \\\"131\\\", \\\"Webmail (Hotmail)\\\",\\r\\n DeviceCustomNumber3 == \\\"132\\\", \\\"Webmail (Gmail)\\\",\\r\\n DeviceCustomNumber3 == \\\"133\\\", \\\"Webmail (AOL Mail)\\\",\\r\\n DeviceCustomNumber3 == \\\"140\\\", \\\"IM (MSN)\\\",\\r\\n DeviceCustomNumber3 == \\\"141\\\", \\\"IM (AIM)\\\",\\r\\n DeviceCustomNumber3 == \\\"142\\\", \\\"IM (Yahoo Messenger)\\\",\\r\\n DeviceCustomNumber3 == \\\"143\\\", \\\"IM (Skype)\\\",\\r\\n DeviceCustomNumber3 == \\\"191\\\", \\\"P2P (BitTorrent)\\\",\\r\\n DeviceCustomNumber3 == \\\"192\\\", \\\"P2P (EMule)\\\",\\r\\n DeviceCustomNumber3 == \\\"193\\\", \\\"P2P (Winny)\\\",\\r\\n DeviceCustomNumber3 == \\\"194\\\", \\\"P2P (HTCSYN)\\\",\\r\\n DeviceCustomNumber3 == \\\"195\\\", \\\"P2P (iTunes)\\\",\\r\\n DeviceCustomNumber3 == \\\"196\\\", \\\"Cloud storage (DropBox)\\\",\\r\\n DeviceCustomNumber3 == \\\"197\\\", \\\"Cloud storage (Box)\\\",\\r\\n DeviceCustomNumber3 == \\\"198\\\", \\\"Cloud storage (Google Drive)\\\",\\r\\n DeviceCustomNumber3 == \\\"199\\\", \\\"Cloud storage (OneDrive)\\\",\\r\\n DeviceCustomNumber3 == \\\"200\\\", \\\"Cloud storage (SugarSync)\\\",\\r\\n DeviceCustomNumber3 == \\\"201\\\", \\\"Cloud storage (Hightail)\\\",\\r\\n DeviceCustomNumber3 == \\\"202\\\", \\\"IM (QQ)\\\",\\r\\n DeviceCustomNumber3 == \\\"203\\\", \\\"Webmail (other)\\\",\\r\\n DeviceCustomNumber3 == \\\"204\\\", \\\"Cloud storage (Evernote)\\\",\\r\\n DeviceCustomNumber3 == \\\"211\\\", \\\"Document management (SharePoint)\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize ChannelType = count() by Channel_Type\",\"size\":3,\"title\":\"Channel types\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"name\":\"query - 9\"}],\"fromTemplateId\":\"sentinel-TrendMicroApexOneWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -743,37 +942,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Trend Micro Apex One Analytics Rule 1 with template", - "displayName": "Trend Micro Apex One Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneAttackDiscoveryDetectionRisks_AnalyticalRules Analytics Rule with template version 2.0.3", + "description": "TMApexOneAttackDiscoveryDetectionRisks_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion1')]", @@ -782,7 +974,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId1')]", + "name": "[variables('analyticRulecontentId1')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -805,29 +997,38 @@ "dataTypes": [ "TMApexOneEvent" ] + }, + { + "connectorId": "TrendMicroApexOneAma", + "dataTypes": [ + "TMApexOneEvent" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1190" + ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -860,37 +1061,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "ApexOne - Attack Discovery Detection", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Trend Micro Apex One Analytics Rule 2 with template", - "displayName": "Trend Micro Apex One Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneCommandLineSuspiciousRequests_AnalyticalRules Analytics Rule with template version 2.0.3", + "description": "TMApexOneCommandLineSuspiciousRequests_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion2')]", @@ -899,7 +1093,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId2')]", + "name": "[variables('analyticRulecontentId2')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -922,29 +1116,38 @@ "dataTypes": [ "TMApexOneEvent" ] + }, + { + "connectorId": "TrendMicroApexOneAma", + "dataTypes": [ + "TMApexOneEvent" + ] } ], "tactics": [ "Execution" ], + "techniques": [ + "T1059" + ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -977,37 +1180,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "ApexOne - Suspicious commandline arguments", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Trend Micro Apex One Analytics Rule 3 with template", - "displayName": "Trend Micro Apex One Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneCommandsInRequest_AnalyticalRules Analytics Rule with template version 2.0.3", + "description": "TMApexOneCommandsInRequest_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion3')]", @@ -1016,7 +1212,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId3')]", + "name": "[variables('analyticRulecontentId3')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1039,20 +1235,30 @@ "dataTypes": [ "TMApexOneEvent" ] + }, + { + "connectorId": "TrendMicroApexOneAma", + "dataTypes": [ + "TMApexOneEvent" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1190", + "T1133" + ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "UrlCustomEntity" + "columnName": "UrlCustomEntity", + "identifier": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -1085,37 +1291,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId3')]", + "contentKind": "AnalyticsRule", + "displayName": "ApexOne - Commands in Url", + "contentProductId": "[variables('_analyticRulecontentProductId3')]", + "id": "[variables('_analyticRulecontentProductId3')]", + "version": "[variables('analyticRuleVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Trend Micro Apex One Analytics Rule 4 with template", - "displayName": "Trend Micro Apex One Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneDvcAccessPermissionWasChanged_AnalyticalRules Analytics Rule with template version 2.0.3", + "description": "TMApexOneDvcAccessPermissionWasChanged_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion4')]", @@ -1124,7 +1323,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId4')]", + "name": "[variables('analyticRulecontentId4')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1147,20 +1346,29 @@ "dataTypes": [ "TMApexOneEvent" ] + }, + { + "connectorId": "TrendMicroApexOneAma", + "dataTypes": [ + "TMApexOneEvent" + ] } ], "tactics": [ "PrivilegeEscalation" ], + "techniques": [ + "T1078" + ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1193,37 +1401,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId4')]", + "contentKind": "AnalyticsRule", + "displayName": "ApexOne - Device access permissions was changed", + "contentProductId": "[variables('_analyticRulecontentProductId4')]", + "id": "[variables('_analyticRulecontentProductId4')]", + "version": "[variables('analyticRuleVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Trend Micro Apex One Analytics Rule 5 with template", - "displayName": "Trend Micro Apex One Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneInboundRemoteAccess_AnalyticalRules Analytics Rule with template version 2.0.3", + "description": "TMApexOneInboundRemoteAccess_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion5')]", @@ -1232,7 +1433,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId5')]", + "name": "[variables('analyticRulecontentId5')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1255,29 +1456,38 @@ "dataTypes": [ "TMApexOneEvent" ] + }, + { + "connectorId": "TrendMicroApexOneAma", + "dataTypes": [ + "TMApexOneEvent" + ] } ], "tactics": [ "LateralMovement" ], + "techniques": [ + "T1021" + ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1310,37 +1520,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId5')]", + "contentKind": "AnalyticsRule", + "displayName": "ApexOne - Inbound remote access connection", + "contentProductId": "[variables('_analyticRulecontentProductId5')]", + "id": "[variables('_analyticRulecontentProductId5')]", + "version": "[variables('analyticRuleVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Trend Micro Apex One Analytics Rule 6 with template", - "displayName": "Trend Micro Apex One Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneMultipleDenyOrTerminateActionOnSingleIp_AnalyticalRules Analytics Rule with template version 2.0.3", + "description": "TMApexOneMultipleDenyOrTerminateActionOnSingleIp_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion6')]", @@ -1349,7 +1552,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId6')]", + "name": "[variables('analyticRulecontentId6')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1372,20 +1575,29 @@ "dataTypes": [ "TMApexOneEvent" ] + }, + { + "connectorId": "TrendMicroApexOneAma", + "dataTypes": [ + "TMApexOneEvent" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1190" + ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1418,37 +1630,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId6')]", + "contentKind": "AnalyticsRule", + "displayName": "ApexOne - Multiple deny or terminate actions on single IP", + "contentProductId": "[variables('_analyticRulecontentProductId6')]", + "id": "[variables('_analyticRulecontentProductId6')]", + "version": "[variables('analyticRuleVersion6')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName7')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Trend Micro Apex One Analytics Rule 7 with template", - "displayName": "Trend Micro Apex One Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOnePossibleExploitOrExecuteOperation_AnalyticalRules Analytics Rule with template version 2.0.3", + "description": "TMApexOnePossibleExploitOrExecuteOperation_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion7')]", @@ -1457,7 +1662,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId7')]", + "name": "[variables('analyticRulecontentId7')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1480,30 +1685,39 @@ "dataTypes": [ "TMApexOneEvent" ] + }, + { + "connectorId": "TrendMicroApexOneAma", + "dataTypes": [ + "TMApexOneEvent" + ] } ], "tactics": [ "PrivilegeEscalation", "Persistence" ], + "techniques": [ + "T1546" + ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1536,37 +1750,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId7')]", + "contentKind": "AnalyticsRule", + "displayName": "ApexOne - Possible exploit or execute operation", + "contentProductId": "[variables('_analyticRulecontentProductId7')]", + "id": "[variables('_analyticRulecontentProductId7')]", + "version": "[variables('analyticRuleVersion7')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName8')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Trend Micro Apex One Analytics Rule 8 with template", - "displayName": "Trend Micro Apex One Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneRiskCnCEvents_AnalyticalRules Analytics Rule with template version 2.0.3", + "description": "TMApexOneRiskCnCEvents_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion8')]", @@ -1575,7 +1782,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId8')]", + "name": "[variables('analyticRulecontentId8')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1598,29 +1805,38 @@ "dataTypes": [ "TMApexOneEvent" ] + }, + { + "connectorId": "TrendMicroApexOneAma", + "dataTypes": [ + "TMApexOneEvent" + ] } ], "tactics": [ "CommandAndControl" ], + "techniques": [ + "T1071" + ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1653,37 +1869,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId8')]", + "contentKind": "AnalyticsRule", + "displayName": "ApexOne - C&C callback events", + "contentProductId": "[variables('_analyticRulecontentProductId8')]", + "id": "[variables('_analyticRulecontentProductId8')]", + "version": "[variables('analyticRuleVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Trend Micro Apex One Analytics Rule 9 with template", - "displayName": "Trend Micro Apex One Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneSpywareWithFailedResponse_AnalyticalRules Analytics Rule with template version 2.0.3", + "description": "TMApexOneSpywareWithFailedResponse_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion9')]", @@ -1692,7 +1901,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId9')]", + "name": "[variables('analyticRulecontentId9')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1715,29 +1924,38 @@ "dataTypes": [ "TMApexOneEvent" ] + }, + { + "connectorId": "TrendMicroApexOneAma", + "dataTypes": [ + "TMApexOneEvent" + ] } ], "tactics": [ "InitialAccess" ], + "techniques": [ + "T1190" + ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1770,37 +1988,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId9')]", + "contentKind": "AnalyticsRule", + "displayName": "ApexOne - Spyware with failed response", + "contentProductId": "[variables('_analyticRulecontentProductId9')]", + "id": "[variables('_analyticRulecontentProductId9')]", + "version": "[variables('analyticRuleVersion9')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Trend Micro Apex One Analytics Rule 10 with template", - "displayName": "Trend Micro Apex One Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneSuspiciousConnections_AnalyticalRules Analytics Rule with template version 2.0.3", + "description": "TMApexOneSuspiciousConnections_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion10')]", @@ -1809,7 +2020,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId10')]", + "name": "[variables('analyticRulecontentId10')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1832,29 +2043,38 @@ "dataTypes": [ "TMApexOneEvent" ] + }, + { + "connectorId": "TrendMicroApexOneAma", + "dataTypes": [ + "TMApexOneEvent" + ] } ], "tactics": [ "CommandAndControl" ], + "techniques": [ + "T1102" + ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1887,37 +2107,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId10')]", + "contentKind": "AnalyticsRule", + "displayName": "ApexOne - Suspicious connections", + "contentProductId": "[variables('_analyticRulecontentProductId10')]", + "id": "[variables('_analyticRulecontentProductId10')]", + "version": "[variables('analyticRuleVersion10')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Trend Micro Apex One Hunting Query 1 with template", - "displayName": "Trend Micro Apex One Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneBehaviorMonitoringTranslatedAction_HuntingQueries Hunting Query with template version 2.0.3", + "description": "TMApexOneBehaviorMonitoringTranslatedAction_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion1')]", @@ -1926,7 +2139,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Trend_Micro_Apex_One_Hunting_Query_1", "location": "[parameters('workspace-location')]", "properties": { @@ -1979,37 +2192,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId1')]", + "contentKind": "HuntingQuery", + "displayName": "ApexOne - Behavior monitoring actions by files", + "contentProductId": "[variables('_huntingQuerycontentProductId1')]", + "id": "[variables('_huntingQuerycontentProductId1')]", + "version": "[variables('huntingQueryVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Trend Micro Apex One Hunting Query 2 with template", - "displayName": "Trend Micro Apex One Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneBehaviorMonitoringTranslatedOperation_HuntingQueries Hunting Query with template version 2.0.3", + "description": "TMApexOneBehaviorMonitoringTranslatedOperation_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion2')]", @@ -2018,7 +2224,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Trend_Micro_Apex_One_Hunting_Query_2", "location": "[parameters('workspace-location')]", "properties": { @@ -2071,37 +2277,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId2')]", + "contentKind": "HuntingQuery", + "displayName": "ApexOne - Behavior monitoring operations by users", + "contentProductId": "[variables('_huntingQuerycontentProductId2')]", + "id": "[variables('_huntingQuerycontentProductId2')]", + "version": "[variables('huntingQueryVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Trend Micro Apex One Hunting Query 3 with template", - "displayName": "Trend Micro Apex One Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneBehaviorMonitoringTriggeredPolicy_HuntingQueries Hunting Query with template version 2.0.3", + "description": "TMApexOneBehaviorMonitoringTriggeredPolicy_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion3')]", @@ -2110,7 +2309,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Trend_Micro_Apex_One_Hunting_Query_3", "location": "[parameters('workspace-location')]", "properties": { @@ -2163,37 +2362,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId3')]", + "contentKind": "HuntingQuery", + "displayName": "ApexOne - Behavior monitoring triggered policy by command line", + "contentProductId": "[variables('_huntingQuerycontentProductId3')]", + "id": "[variables('_huntingQuerycontentProductId3')]", + "version": "[variables('huntingQueryVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Trend Micro Apex One Hunting Query 4 with template", - "displayName": "Trend Micro Apex One Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneBehaviorMonitoringTypesOfEvent_HuntingQueries Hunting Query with template version 2.0.3", + "description": "TMApexOneBehaviorMonitoringTypesOfEvent_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion4')]", @@ -2202,7 +2394,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Trend_Micro_Apex_One_Hunting_Query_4", "location": "[parameters('workspace-location')]", "properties": { @@ -2255,37 +2447,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId4')]", + "contentKind": "HuntingQuery", + "displayName": "ApexOne - Behavior monitoring event types by users", + "contentProductId": "[variables('_huntingQuerycontentProductId4')]", + "id": "[variables('_huntingQuerycontentProductId4')]", + "version": "[variables('huntingQueryVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Trend Micro Apex One Hunting Query 5 with template", - "displayName": "Trend Micro Apex One Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneChannelType_HuntingQueries Hunting Query with template version 2.0.3", + "description": "TMApexOneChannelType_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion5')]", @@ -2294,7 +2479,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Trend_Micro_Apex_One_Hunting_Query_5", "location": "[parameters('workspace-location')]", "properties": { @@ -2347,37 +2532,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId5')]", + "contentKind": "HuntingQuery", + "displayName": "ApexOne - Channel type by users", + "contentProductId": "[variables('_huntingQuerycontentProductId5')]", + "id": "[variables('_huntingQuerycontentProductId5')]", + "version": "[variables('huntingQueryVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Trend Micro Apex One Hunting Query 6 with template", - "displayName": "Trend Micro Apex One Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneDataLossPreventionAction_HuntingQueries Hunting Query with template version 2.0.3", + "description": "TMApexOneDataLossPreventionAction_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion6')]", @@ -2386,7 +2564,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Trend_Micro_Apex_One_Hunting_Query_6", "location": "[parameters('workspace-location')]", "properties": { @@ -2439,37 +2617,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId6')]", + "contentKind": "HuntingQuery", + "displayName": "ApexOne - Data loss prevention action by IP", + "contentProductId": "[variables('_huntingQuerycontentProductId6')]", + "id": "[variables('_huntingQuerycontentProductId6')]", + "version": "[variables('huntingQueryVersion6')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName7')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Trend Micro Apex One Hunting Query 7 with template", - "displayName": "Trend Micro Apex One Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneRareAppProtocolByIP_HuntingQueries Hunting Query with template version 2.0.3", + "description": "TMApexOneRareAppProtocolByIP_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion7')]", @@ -2478,7 +2649,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Trend_Micro_Apex_One_Hunting_Query_7", "location": "[parameters('workspace-location')]", "properties": { @@ -2531,37 +2702,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId7')]", + "contentKind": "HuntingQuery", + "displayName": "ApexOne - Rare application protocols by Ip address", + "contentProductId": "[variables('_huntingQuerycontentProductId7')]", + "id": "[variables('_huntingQuerycontentProductId7')]", + "version": "[variables('huntingQueryVersion7')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName8')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Trend Micro Apex One Hunting Query 8 with template", - "displayName": "Trend Micro Apex One Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneSpywareDetection_HuntingQueries Hunting Query with template version 2.0.3", + "description": "TMApexOneSpywareDetection_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion8')]", @@ -2570,7 +2734,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Trend_Micro_Apex_One_Hunting_Query_8", "location": "[parameters('workspace-location')]", "properties": { @@ -2623,37 +2787,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId8')]", + "contentKind": "HuntingQuery", + "displayName": "ApexOne - Spyware detection", + "contentProductId": "[variables('_huntingQuerycontentProductId8')]", + "id": "[variables('_huntingQuerycontentProductId8')]", + "version": "[variables('huntingQueryVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Trend Micro Apex One Hunting Query 9 with template", - "displayName": "Trend Micro Apex One Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName9'),'/',variables('huntingQueryVersion9'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneSuspiciousFiles_HuntingQueries Hunting Query with template version 2.0.3", + "description": "TMApexOneSuspiciousFiles_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion9')]", @@ -2662,7 +2819,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Trend_Micro_Apex_One_Hunting_Query_9", "location": "[parameters('workspace-location')]", "properties": { @@ -2715,37 +2872,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId9')]", + "contentKind": "HuntingQuery", + "displayName": "ApexOne - Suspicious files events", + "contentProductId": "[variables('_huntingQuerycontentProductId9')]", + "id": "[variables('_huntingQuerycontentProductId9')]", + "version": "[variables('huntingQueryVersion9')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Trend Micro Apex One Hunting Query 10 with template", - "displayName": "Trend Micro Apex One Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName10'),'/',variables('huntingQueryVersion10'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneTopSources_HuntingQueries Hunting Query with template version 2.0.3", + "description": "TMApexOneTopSources_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion10')]", @@ -2754,7 +2904,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Trend_Micro_Apex_One_Hunting_Query_10", "location": "[parameters('workspace-location')]", "properties": { @@ -2807,17 +2957,35 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId10')]", + "contentKind": "HuntingQuery", + "displayName": "ApexOne - Top sources with alerts", + "contentProductId": "[variables('_huntingQuerycontentProductId10')]", + "id": "[variables('_huntingQuerycontentProductId10')]", + "version": "[variables('huntingQueryVersion10')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.3", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "Trend Micro Apex One", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Trend Micro Apex One solution for Microsoft Sentinel enables ingestion of Trend Micro Apex One events into Microsoft Sentinel. Refer to Trend Micro Apex Central for more information.

\n
    \n
  1. Trend Micro Apex One via AMA - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
  2. \n
  3. Trend Micro Apex One via Legacy Agent - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
  4. \n
\n

NOTE: Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 2, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -2844,9 +3012,9 @@ "version": "[variables('dataConnectorVersion1')]" }, { - "kind": "Parser", - "contentId": "[variables('_parserContentId1')]", - "version": "[variables('parserVersion1')]" + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" }, { "kind": "Workbook", From b57445f98c0e852287a5a36b246c1560427e875a Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Fri, 22 Sep 2023 15:08:31 +0530 Subject: [PATCH 3/3] Updated createUiDefinition and Release Notes --- .../Data/Solution_Trend Micro Apex One.json | 2 +- .../Trend Micro Apex One/Package/3.0.0.zip | Bin 22518 -> 24698 bytes .../Package/createUiDefinition.json | 38 +-- .../Package/mainTemplate.json | 318 +++++++++++++----- .../Trend Micro Apex One/ReleaseNotes.md | 5 + 5 files changed, 254 insertions(+), 109 deletions(-) create mode 100644 Solutions/Trend Micro Apex One/ReleaseNotes.md diff --git a/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json b/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json index 6a2379676e6..b783819eda4 100644 --- a/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json +++ b/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json @@ -8,7 +8,7 @@ "Data Connectors/template_TrendMicro_ApexOneAMA.json" ], "Parsers": [ - "Parsers/TMApexOneEvent.txt" + "Parsers/TMApexOneEvent.yaml" ], "Workbooks": [ "Workbooks/TrendMicroApexOne.json" diff --git a/Solutions/Trend Micro Apex One/Package/3.0.0.zip b/Solutions/Trend Micro Apex One/Package/3.0.0.zip index 1676a94d6f4ec5d2cc2866c53cdaa3ecbeac305c..71ffbacd3543bd922be3ca470135edf2ee61e689 100644 GIT binary patch literal 24698 zcmX`xQ;_Id*Dm0;ZQHhO+qP}ncCWU%+O}=mw#~El_g9^pB$ec;G3u>(k&&7T(!d}n z0000G0IhCp>KnraS#B@@01Gkz0O)6_F zav=Tq^?id6xVNnZl9F4#R=3>@WIee>OV@Ohb$$}kL1`7z+L0)dR&ea-1%6|{KKpI_ zBxMmkTTRMsX*ebp!V*Q{%uF&5?k8M?^Z!OB%;=}0*G0JHCd%cz7Usf&wG78v$du6- z)w`YBSD4h07hdIH;k1R{BqmF^O|RQH&|ofKm8Fy03>eq6M{GB;EPb7heXB;k(dYDJ zQ0Ldw*dvON3=1y(>~;N(D6E&xMM8vfxX{^YiCTz+<0B4oa~1SoyGh&}?t10E?0 zq|5Ea9WL_l|J4_2H2?fOavdu-5@~=;7J)7V79%5q8IBoMW->!2#N4l6V1cOz-K9n> zrC4BQN-{x7=J)%>_cU(O^p>UDWst@tSGMnLpHkad7P1=GpgZ>zlY!OC$?N67Ga-Q$ zWqgNmnvD#I7bCggjHcvo~dB!wmrp@{Ii4-5WY|-)JDXK z?wdq&Nv)-p94!SFHda!P$jC-C7_yz9&Pe^9F>O{ef`{nFfCY#HU@ZlUMESL}Xcf>0 z&=xd=_rRbKiPe`N;vgWEU&K(h;75Q$$rF8aLP%43m_Ui(K9O=xK{g$PJ1aasb27h z3y}p-oWbNkDRt{9fWK~*>6gxcm3fD0anx-9jU&v1xd6}G-NE6{efUKzjosdAM5X|^ z1>U%#&soy7)o zJX4G%$11|`7`>2Q1;`pH1i|GqV_U1EiW3@-TGFUTlMTLBz>TJDgOB(U#7M5?=)R#NA>aLJPr!8 zy16cELKwYqXhs6ol#@I2Wnqr50AcEq*s*o_vIItB^*IdQAn&3x(0R&*3U?1JKA)N@ z8dUT$sjHxq6yp<3Pan^pPd?`N=|$oia?49RbB`!R!xL0A3VE=I&#x;qHe-y@~(5$l=Yj=iUWGT`L8X?>d)R| zDz3;9K!M)LGw}3u7h@r~ad1;H4E%jX+OBecB0j&nqu95W1AB@f-5a`>og?nRXZlxX z`uFh|woJBzO30{ZZY=tYHI4|Bxe|#u1Dm>6xQmU^j9$%HNC=xih@P%n?zh&$6&j2# zKvCWpisCn;FyV!f3b&^ZRAXugglr)oK_`)l!L7ziM;!nBGQ;*CjRYi|yU`MKuJCqv zyMnJ>wy&;r%QyJ(K748GEIMizb!cS+iDq;IPriPT*jo?j!*jW`nS_t znz-^^@L;>Xe1LRjDEcmBCopKb`?{ zj~%V-1u8a=xvMZ|qNzPa@%_nrxRI^im9|C## z!%O!sFCZkYsXALy3OaFw1M*nQVNEX05hxq-MQ7mKM0;wO#Ia54Hj+0%-p5?#J4Ul* z1F)zs<9-aOnK`faQqiMyqGc^xq2uV6SmjSOkddkFzWomVv1R;68Du1 z{wAa`-;4G{bJ1yIHnJ48+mHY*q$*c3+&Xt9?b2;=j@suQ?FbL zwWyK)cKG_camQ0qDqz^it{vJJxG`2sDt0|rN=n9JhZkR?`oK=-V79Q;-$xh)OD z{!w_|!3j21$I4M>!raSazL7S<5|1I+BO|$LQ-i9nb$d5EI$RnW*19}8J?K(jYY(?L zII^0DRfVLZ9|~s zta7SDd^F07H3J5{f+Ld{bm^NM!VrMEfIg6ZeEkosxfs2!(Louc(x7WE%>!9|I3#zuhSQsgonWDS6S*6Zut{t zs*LIYd5Tf1HWMnqZJXL2jfgsD=1SHBzB*ob_zgx2*WWa9gw5Bn!Qk!92E~O>?Rp=I zjn(uhVDGHE?rs^4)M}Qwf!INLl~tD{;|(?d1|NZN{fT{%`)uQd6qTRvz8a$i%Cf@!9QvS>Rl+|SBI zMzYyCpd-%8lo+*$I*Zh1y`qc{oiA8^%jqW`r&~JS;P#B+abfE^wb1H89nkKoSFtuz zuJm^XCGNKxU5tM=DuCGoE5;6BbMLhC-R_z?lkTi|SjT=K>X+oM+aaa39?nxFCB%>s zo$TYZrm5OMCU2_&tldQ~miszn5#td|ua_pW6wF$xK`L5t8r;;G^kb`{?&1+du2T-; zfw2zND<%Hw4qerN*&`mRlK6()S(Fvp-<*a6%@!3q(#O3fUy}j|Orlx8v1+=(p#HK| zKtB79FB!uyUuPqB^+(~zPQ**!XL;>M&e15-C+iec_gT7&gRbAxU9EQmsF`?*)A9&u zG&?gSrnh`o>kn4m|FrLk(?(_CEA#MmHMyWDtt893nrwz^vO@ALkKP|cus~& zJjf?qRV2N?b>l8w-OZ5($BqYFt#%+6W{LiO)hqL%Tx)9IxBr!JOF{JQ>`5=Mm|82jz>p~?9;U_N@XxUUnoVLq6XY4R@Ix>EAh zhyBSimF8b-=K{sQcl!&d@c&1ZPggc|)nXtNFl7J$av5L%#DAlTt)Zozim9!G&A)-= ze?!W3x3&8wM;hJNca`f8@W^ASvAJf;O@neOmw2M{eM)K@P1%C)geIO;5NRBxlB|-O z3U9{l&w*4Bi9kRH2VHpfMU3c8x1)C*AkP}e?{n`jIso^tK11d}M)M=mmCT?6UKbBf zu{)eunzig6OvirU^XWi1II;amE@=3()peVaty*RCAY(T74$`FV!1`9bkjI^V;OWoj z44Bp|BDZpu(eGn2l(#*`y8z`q8u-N^viYPE$EIc1QmhC z)M+mM&n{+fII~D>f{7UiG~f!B#|)83WMG0R#FhtN+fxBI*bvd#%)a{Fd?>fZC-(H% z)&p${W{Nx^bsT$xP^P^b^fpYobHpN~(5@Rf4|E$%i#OP|B!{TH_5C$tS3R2CTjw!N z#11|mOjjs>(5;U>PXW%uYwq$;>9imnlZsK$ zq~?-K#HS-kBl9ALHP?7&yX(oz4z*M;l+biiL?o4x3N7~&EwEeZz4i)oPu_XCqRtk_ z=aCjwA}AM6$@bJqBC`&H+9Mb5Yw&;Hc`n4j@lWT-clw;<5=Tt1z`_-G;d5_+=bc61 z6E4@lgHi!;XnnYK#K@4^2h2i*Dxl=Q61&1&RFl=oecJG+_8|t_$-Fc~&tLNJPf%{& zd*nKq@Kkee>2*Hype1}KYcxTxDx~^5(8hge=UbCj)_6{~UPq!8K`7I9=Q=_oVD>Bp3`BViR5;!2~)JVXSIMDZ+<|P=Z{au3tI$cSyN&!_YK=U)fX@zS`1n$6i1({nTeW&4^2{npH7WoiwBnfB~pk1>!l##(Ls*Hx#wW`7%7%)!2Ve`k$r3wy-D zo=2&TJ*uz!{%wDUA=tZP4JnZ<+?yBwM#OH-hCOVw+O^Aj5#mOcbt~&%kwuJ~X>q7m zGsHG_eEzL0GY5HeZK4IHryG%)?Q*t@*fiC^I^}AD2zKhh!xzVr^#I(j(Yv;lmA-CM zkk>S_g}##&Yn_8x_}!DZdz z{@3Ox#!b$@Hsui8-0}Fgxc{$BCzG@7ifq><%vkG78rAriJ-_0x&-s;oKNFbOqJM7} z5jpUCeL3(m{a*^k!fnXy^NzkgKEPQRH`mL1el{Sl#;jZMt#Gf##%=igN^SV)fuHw> z;h*)GTZ_YK5lfX}9%VtJb&Pnb*q2i~6@;`0*2~$|r57uV@yYBUypyqTt?=<)N?^uo zU1BW?DUj|H_Y%wN>VMMq|0MQ5 z*({!ub+`|!V;q>duJ(Vf`akzy#m@h^zyGWFKPUS?cZ>1Q!S2uBJ2pa6%dT0fW*%0m zVy+;r(LOaY*R1ZhRRDXNDXY?zfO+qfUWoPWFoJysUscoqyiDa<;jO8!EBk8HO}40* zN~{Ebk0D%%)Tr9xw`vI=t!Ig||Mh&CN~_e7f_>?tU5*X-9{VrnqW^N{uKX`&@&Dzl z@V}gm|4VGqPqTdt*o|C!D~2Y4*L2u8bkNlJR8Q1Ax8UJRa59^Bg1R?c!~z=bw8z~% zUQsK&s-utrM6Y11lC@RSt?t^Zc_)7qQtgDVt8u@ZU;++ZInOxhTv2EiJd*j#?I+>!M`sq!{!CZR}My_fe$%VX}78UI@y1*D*`K;`tNl3>5$ak_A*ZXw|Q-<(OI4zdG zvuk!|cNc$X6gsH}YWq^ufkOwR1sZr^$KwnJ4ju3bF`)|~DVYU6*fYRn)Ol8n*B5Ih zySu5#PyuqxF^<^U4%QZ25EuU-GEBi|q=LmA;NZ|Ih$Gq99>v62Q*-YLG5@3ow@>(? zO9+JO?a$Bz1n(1VnUGH0DOWj1Dy7Rw_zF%u5*ufP1t!N%F_UnsLR`YcbRg;fKDIw*&&ii<4zHz9qlfJ7JK=uj{0BLG-)4|lc~ph%(}B#%yUU_s2GjI zdRgyh(67^hm&kBG+k%!tf~` zhgvW-fIW4Vsv#8q*Ff<*KhMZ$`6@l{8F3x%Y9f`vD7`l-|`nwiwk zU4pwW1eo-_g5~c^k?$c?r+(~d7AF^A!QqtE400U4$zOw5e zL(%yvbvgmm`ajci3{T`Fs(^Zd8PBfliqzh1J!gu2ZhKxHeCTwMV>@6}F`R&(aH&n< zQPBWK)heDoevVjm6+rZ@9l1Aaii1&25i+F{A<|Xd%qpklB_65NR7@4IVb#Avn4m&w ziFz9g^nIBgov{}hs@vsutM=fRGYz=Id(sZZoPa6g zzRBi5)3s)90cELCoM?#$%E!)Zf>YLlqv4q~KaT(x>(-bJ`(6kT#sG@!6uJBa0FZ4W++obNMDk=Np82!iSc7 z1)=I_soqT<4>!U7uVI8*W9kR2>AW=rQ|by>-qeKJ+8OWwR@OtMIDd&0egrP+QT68C zfKxceM+rh6Q^iJ?p3c(;8XYd{X9tf()j0tkGrjH)21h5^>Git+8o06w58w%16zy*F zgXbdn;{(+^)mr1^UcJELm@p47LTh-V$|ri>%O zlmyDM0$6}Oq|@9DT3=7D@h}opss9ulbCMxP>Mq^i()!0#&jk2fdmZbw_Xfc0MWppe zz-18IL9XJwYk|!a%JVfM=8uT-hanKy7|NS>ilq680k?Md7#IBnl4)e-2G)MX;W<(_ z2V+q|Rp2f45g(<^N7&Y5Wos5y);1WIrW{utR3rFXPT%WS5!|?V#e{wnn9j}*P?7UBnX7Z8bKTi4U5Ztk6p5Sf&6yLe|8T7RuptP|Dbd5>T<>sfD_Jq`(NuThY@TuL zL@yhKP+jEifE@e@2_tw+jM1NEod)s*ex-`<}X(|}^S__y|g{jPR{-Inz9ozY9wM0hrfo-x>8jEYBJ zmQ!>n-3TJMQ^xCM+3LA>CoTQ22-n8ggMF|s?~$p|n_i&y4E>Sd_n%u68seSu@5r)@&91Za;> zL_vCS{Y+mLcODzA^P{<|=*Wi9p^Z_@H2Ml`dYG^&+>tABv5m{opz)bEbk{HUbC-iP zu?bb;6+y-fC?19LUsnGB8Xk@s);?CazS}Ox1HE3_T8bwNM-;>rpxIy#NwZinJWNlb z-otm~$>!hUM2MiHE$6HGhbWgz{u!f=n{*goAsphN!NBpl1s(tu!gEWg>rE4Tvm+(; zh2`vu9oHa1voGNIj05xtoM;s`6v@G+C{{wG_mo(wXS?W;zzOdoZ{Cv+Mt5JL1_~xpAD~N@XUOGY8HRb9th2D0 z(jO9o6BUMy_HCsp3i3~~QL!uJtr~Pu+QpV6?iwZ~tMBUfWqWzUTEcvRA^|^{!7Ow| z5S~+F;Qoo0kK0%kRDR`ii$*F-hIR%5X+T1Ljs3-!TrhTf>N&k@nB?w%SE9!c$H{=l zQrG3B&7}w-8EMS&%h8W2E93>mbzK{c{Q~QM6yxtNBp!T}7uK#-2Mv}5cjfJk>U;d> z@FX3{T$v!8;p^4}Po(4Rb) zdu9=6`;XYeSN*OC==D4XS1tE1zY8u)HjwZ~Y*2V;Nio(SAZJzYn7puIkaR0KG#P$b zB(^E~A~dnRX`(-6n}#!)u`LH==9}qi|0wiNi3a~^1>}>hYlu^q@z_gIp9d$j?!HNe z=UTb-_6^@V7|8f22#RR#AAE>w2{hQpr;*TTDJrVooCX0-7wp@N5!ui~s52x;LJ@sq zf)ikZ<70xqVTHb!j+SGJkf6{hkl9gdL%KzZx}}V#2D02{KU~jNhMY6jHcCh6+oC=NJi=EdU&%7;COm_uA^O z5)IaP^jHl#wf(jb#~3zUwb!Vv$K?6oGv`}L#vY@--?1L2E3gCv&m5?K#EeRX9DsFp#r{ZISq3+$H_IH6M{?~G>8YfwTLcir#T zyIyt@f;X|o#t>)7F<|O^3Eg2Pqh=zmsm%&&zf-QkhoPN?Yln-j4q$gVWycMatwk@}zUHv=iz&4R-<5-bImjH-TaS?2AG>PlJ zL!yBv+L{H5}1nFT2o@yRRMi z7exe|BPL!nk3*22w@79 zuBIAE_cS#&ePDd1qCer~`Ir;EMRo^j3c~7zOLH9_K$5S;1?ETR9!IB3$w1?vBksNe zl)W*lI`RyCD!h3s_6(2IyA>HW9O45;63~8vJDLsEhFA`fn~a?qe{2$XYGoD}z{Pwl zA7X1cZr7;J@B;LR(m(XHt8hrBQ3PuF^GOFMp&)0YfJpu*lLZVtM{YC0q7&KCw~c(3 zm-p~%xW9ndS4v2V7~<5bQ1y}&MW0nCn~Y*`tzZBlH7bsBSG^&JnHb&cXrs<9=D={X zT&V}(A_c>$bdrdLiUlVeBVkzsXzJ|q9wqOH#w68a$WDQqH5p(inyq#crZ&TS@i44} zz77r0Q6gzq>^tev;IxUmZ&V4LBa+J&HbHsm z9umgcnam@`@r@>Cr2)UJK}-ti9&}*SpTx!L%aDqS!%e_RM%;`I^!Iwu7$Oys2Fg4F z+}*+AHT9pUDTc6&6yR(Fz(cOr(7^T|3o?BCe@_kL0B%Y*wS0kds7yU zyqg?h!BT9-o)*P@Fwpm#*y!7>P4RT}0!hhL8(fyQYmk*VgXR!(8&tBTfNm`W*go$!PD(X48IXqrLA9l0oT ztwE7(KcURY*h1$mVK&Y$e?6?+jJWlODs!0_eMyx&msx5>uARzaV{t;jz^aJI}boB4r<(uw>& zye4gKn5DX5mg$BY6A4?(dQn~h6jw|i9S%>=Y@2N!9bx?!ry1ZQR3_o=}WKA5tB zAot)9SwDb-C9Z}G)FI-hAuQB`8SHn3R`U+0GD((JEU7VW-H&a9f1<nw_;QL5txnWbyhsz2*cx1+0 zviK8JZKN}sX)1}UW#B8-tyEQ*nMSpmpusJ~*h*mnZ9dJ8b5SwpdNu&)X>pnxABCjC z%7h$B3aEh0O4#luybk7N`63&q=DQ5-x-aK+kDuISOu2ri*7r}bcgCyt)%T=m)|Tb8 z7&dT5k`9a#q8hdhsWypWe!_=sAilBINyVUt4M5x%H;2`^?QPFuNVU|tKP?jX<=nPI z4+;255!W}--5wfeFR4j&R>^f%Nwzd7_rv)1#fbLV%SU{-isT*^g`LXC*Ep=obGpCh zgck)_rZ-}rUtdDdh8!PFka2$j-AJG1%(^}sO3l`jRWg*y=;kpKU?vs}Du6YNS%HlDzKTz$fkO0}#MP4Q77j79a4gspj1Z-V!sv%_O zMkx7yMAob8ww%do1Xyqd-gFDuCH~U#{hnZ1go``uo z^L}%74T^CfN4wM}CT#q+gZ~v$>N2_!(`A}yNGs((2p7UGeTcw|(i|iES#jI*rv3w0 zs&HP*6<`Lu^v=Yu@?ZKem#+Gv~(h9n}ZQM0WZLrA> zxk}r?#TCM=$-^+lgO5uKve_gyCuOo9G6A9`1XLKrld8ssx=>K#IGR>W7)QzytHF~4 zgs(e9s48*lzNw!eri4~PMuIFkIjK0Ac9`veB6VnlSzf;7q-&G`6vMiUX-1_|!7{AE zWc7fOB^0&Qt^K;9#J06qK+Ii(F$0zopE_8;Bs%CB_)z~KNvyBPEv&$&#%FmEu5?R&cz_l|Kf-lik z(FO&Ye#Eg9q7!5&oxl_-PnW;J`=c{+8Ss`uXc9#T7ule7hWlq;LwsYdaEj88lUetE} z+2+M>JSd&UV?5|FoD^EGVNY#5Xp#(Q-Er7~E#IdK2TmGIhhJTRFOA0&0c|VbTdi(K zsfAng^H1F-l$y4I0@06&^WSZrvU7qiv+m$<&&1mA$aai8lmKc&Ebb>5V!d;|FiwTv2gBj<>GpbE9*`@(yOf_+ z$ycc5z`WhsTj)^TUJ$C*Nlo7vGJMHGjDB7Rd}t`({5#ooHg5{Ipr$ID?#oI!ZGx&<* zbO!I%gX%qm#2T08_3T~~ca?r!}yXsdJI>x@N@T5xlVmCa!gLl`!wNe49)0Ga}k zl7yp>jWb`=d{N7!OjT)XK#rYz1mK`c<${^$o9%~ndY3EjYNT-dJ+RB>n2XDmd8ma5 zqz|5Z7_@K8f?`jUe-nd8MzE9fVNvn_j5J{q_=#F3@a#`MN;f?sroxp>DdcYLA1aj} z>k(a#@k%USw5h{&#BT@&ed$+QdUQ||vlxRKcXlebZuqP#6;&9Fm41tuec{MPx^}A^ zOx`jwShBn}G$5OvuBxr~g62%MCkn87<^j0}4C->i*|!Mt7hMJ%WjnvD1T-l^n9df= z*veWvbh?*JF^<}9$_8i_1F}j1gMvYLSqoro_+p%9n~<3x7XPubkk=8CN5V0=Usl@t zTM(AcUvCL!6>9G@xe6E8TwJa(iT zD>1Zi6H`~{VKIYX7#3u01zg>Mh^)Z9#VMk;DEQ5dz6n%p3Qz|0-n+OouYiwirM(f4 z!X8~a;N*+GxW#h&q+t>O$&Qi;!o{Bd%XnViK7zwd^sXxP&OWRv^$OqXya`0Og}|J7 zctXOV?43nK=!1>xAc8nm&RYLi=U}V@(7T|%BajuLubKW}g{yfHt6m-+%P4c|C&R44 z>~&!7F^6zU$(quw{d%Vrb_l1yujZ8kMgtNm6^kqLEDEF|&tnk4o^b7b5PwbTR~aYU zxCw%bxCacP?o!W*W9~f9E4W`PZ}<*pY%d66S-Er0`>^Ms90M8u^mw3BFhU+S-G&;^ zH1j&S4dwbQxnrvN&X6-5$<$e|*2A;(wlfCSkkQn^|!n-&?ls=RPwp=G##j^>?&M z>R3s>{uoH#i`ZWBgRR>C`1!ruKRp=C@xLQv5it^n`%aEyvDlE{P?M;XJVCOD`qOM_ zuXd6T??!{adVr0!N9;4bJg8?V{?c<6hZhT-Ws~s6fGOYpG@r&xj*J=peA>7zB8SUk zacs5@AmTbCtBUYK(dxjW?*y_N*6>waUsgHscHBG8lqzZX+Hq2>HZfI+o-xuz%Ltw& zW~tZ(iecK62IqPe0 z;0{{_|5z(mA8JJBz{Agsu^`vlCVD^g+xg!a&T>4m0!nQ!_E@r60mb|n%JSas9^hbX zA}~C|jS^r`LzN#yI=dDzLElNK9C*{yq`(83qmz%o>LWY2J@lB@kORST(ZNhh(*#^! z6sEcz_Drki{*&DI5!FY4`LD7peF z2E(6t!2(K{P(hv8Q2C8}B}mp_v!r=O+*O>gj| zo#|(Go~p4{`#Wipe5=V8>XY~arsaJCJM$u@-tzl(TxkZrk1Zh8c{*C|bNe{)$!|z#3Seh4c1SzR0-EDjc`g~4fuiNFynekmDFlL+M^a{;xq)QE zGKeU`GpeIGgi-zdb$(k}{457T?Qr8Z^_`wNz z=jq%*1bDd|c%4E8^~sqrV4zLVbp-W_)$TIyot1SNHHiUnYVi)T>VaMZ)q-MBwNVY_kd;m#>1nH~*ZaavZg1mk{d)bUbkMctG!D}6gH23q%3Hd%D_y1CDtZsr>OD$0|0WkT6RaURMr630MiB?4K;*~7w5 z&Voq)Gq&9Jal9QQ)S!cK>1+o7sMrbMxivwIHy$9O_w+cvtWBPXZ4xP(D5bJjS4ATW zmUW2~4Lz847A8jA1(3Fx>|DY`4oY)=J{~iDj?b{l2nLCs$$&)+(L~Dr;3hSkeE$1u z$A%Mon{Xir|8H$9k~IrTtwn~DTkqylIt?mIB5czSE?m>ffk2C2R7mT7#qrOBets^M zDvX?uwXK1)fE5pgd{l^+J=>hvJA%*B+BOW?n!#?$pOex-c`fOoc}eKOw6N;5F>K#EA%ktr7GWQ_ z9$N!p9htri_i)$5)>j{u$FIZ{2_mZ7X3K?VjZ0ZF2TE~ylBkanPn4B`bB0!&>Mo70 zt~ANYk{~=Ml;PAf?!%*@ZHp~Q9}XhImcR-?Lt3w!q6)K2wh3!*KtbNoTzK9up?Jd% zBZ3`+^SGF2kgM#~*h@*6?oXKTMwvC;+!~DK^H{XEAru7s2BU0HKt?C?Lk`&&QcA7#FTOe+%YX(~6lFVGaL$rHuAMpEqo z1!4;b>*cKK{Af^t9h_^i#->mh6=gA9=S7f4fZt+Lc_9iYbM~cAyZSF+zZ7#Rqtz*Z zpHBM&`2m2298zyMb>0WwkE=VYKrLKS+QU~kl-G5<@5sA7)C)4BQo$B!no}CxTB=ys zG-PSgCa!cx}?(FWP{*8O9F-mVtD-=v4ie2jGw72QT}HUc5Hu7k}v)wBb05fm1dusDFM{F$e;zsryb%QD6}QggbN8-Bn6F6F>ruIzhL5L#9=A>QXE>~d-- zD<-ushL>gLY@T_G8594WX5DGHFt+l1wBqk%Tg78e=h?XV{fW-{L8a5D-2X(@+K}g& zf$N5<$2qrMeftq~V1I{%NYg);oBE8z!4K!Qa}a`y3%-FkeqT0-6yW84;}{BA#@8>` zh{tCtOEkT9_;$;GPcnR9F;G23|E|p5zmFMskLsFsy(yY&Pm|#t`)$eI4?pmDUBrLD zt|<4(e5lj+ljJ{D^V60qZF;t!9GBup(+O&TI&%qVT9bPnj3m-8cMf}ln8qDWmrC8G zl6CK!I{kYDi6jd5j(h@NqR)_;j;kNWInhQlh$C8~o=UrZJvFL2ISXWW-WZ^Dn)}0$ zKh;|6_fYjS7@)&TYw=(yV7v`vjI{b;jVmlyDqFzYp}|qd6Xjzqp7@x<=5?Xua;D@W zG#QG!1-7cYf{_-SMGWxe4sdr%?yA)u!F@b+)0v}@3n;ZJI8F0{xJW!T>=dU`lX5<( z7X46zQz6o*wIt&)tLx_WUir<&q~NkIt{A)bm&XVuq5E)8fGbfx7PIO!Kq`*60{85I zt#4U)wk>IlWdvEQ^%y($c=rsO z@acLS>;a#vZt_IP7VFB4_?!} zm~4t#hDpq(bcJM3W|wN+c_ddH*@4GbS^4aM#Qu<_mC&<&Bo1 z0`wk-RWUuwcW`F(V_tK_s}eYfe3HpbTIwkeYZ7C~zC4!V z2KP%Y`B+|pLR&G(F`tpVxrMY+@nwaQ6te>A@>By0mP@+MyV;rlxhg~U;N5NHaTD^} z8j)a>4Q~;@-{`9Tc0FCkbX?VsKdJVJ>b~TdYS%~f5Tw7pLJ&E(VS|gU8C*J-$rsgV z3yP3SQu>bJM)$`1*N17iQy6dSYf?6~ zxc|=%Z-Kwdo#vnGzd5`J*g_d!|NTvE=HSa=5b0(Bm{lC+`>PIb$ibDZE$G1S2gjpN zXiXNn+Ldo~x~>WGvp?qsZ+pbCY&3hpKFd{Yo-@)Yhx@x-!*7kxZ!P@5{!x^X9!WVd z65HCDZr-cxyTV8Gi`01i()cpn_%Yx3;TX3f@20n(#~QZLl~@R0Z2(0@EPIbED(1iH zV4Kgg`giu?(ENI&(QA~XU|DH=9tsEIwB0tGHYT@O`;A{^@R`SYEQ8atMS+tMPGRQZ z;?mxDbC#CEYKM%@qAb@ObZn~Y1K$c@xic^}ucGsvlsE}sB4P;Cikj%u*|Bi|xb3k!%)e zZ31tM{GEq8NzN{?_{*UE`#yc`$AahUMO^se|J8NXL2Y&47KfJN?(Wv&u0?{oYtbUb z-J!S@w-BuBb1lC2`1EL}JF z@an?Y7Iej5Zr$CN>C7O0<1NpiK&p4Y3Yw8H3(fXKuSFz28)_Ym>5b8QP5=F%-g(!c z+nJ-5;y|^(+??)voQS32VP+c{dI{BGE=HhW3(;J$4&Vb*?eN4?20edw6aDXY=gk#N zV6Omt&b8+I+#LRbhDs2fmVa(h<#^qrXnRVlX;kYcaZ%^>G+_sx4a4p^_=p(hVvy6t z(%69FhG80;?{P}&)WOGhtVfOst*S7mTr5QZqHe#RD8G8$utM?}c9!HIPQl-))3B0j z)2OyilOvaSY0D;~;Co61{PwB11Gd7+z5cVpUA~L@ZI)o8iuVb6KRf=6w?fxkE+uu> zbdc3|_`@y-Zq`a?_6b`D7#OWtukkZZEMw{H zHlrVGZkmV*JX?l7l=xqu=ugldPv4?VDDR=;X2Avzei=MMqX}+SF5}z3=uA!fn4+O) zS6_o;0D;T>+Kd?w2bePpgbB~rRKNwt(hgdmh9aB)Oh$4J4~l|%f`eWg0`EDx!^H!}OW=^}Uo$YFOBzg2k_gvG5d-s~Dz>^M2kBua`OnEz@{p0SiD5&#=MFGEB8rupa zWpe!AD40}&MM0gfLsiof-5s|zi^7@p4Z5&&4b)?#OBHbDl(QysH#3Ku9enM1=Hqog zTbidCssRmhF|18J`n)wd=eLrA`&cS>JV~+zUlct|hv4r^;zNFeJPL8g%hgPkWrnEC zc-lBG*FNn*-dk~{&pY6n#Q65xUq`D)TzS{zF3L^Kdo|k(Jf&Nt01i{ACrsIR92lgc zxj3Yl{lg7%mO<{Kb4X=MNmibn!pYz5TU1Wd-+$O+eNRs)9o*0{WnjgePsD&=(P#UbS69u z%nBVgH|QM_un{XPe@*dN=RNeZKy4Lkl_zwU_%psGUyg|iX79`4V3`fJM{+oK77M96 zd86Tt@I?|r4PvdQ=Bs14!oO9Xu^eU6pHH!7H;^k|@H%Wyu^!0Gu(q<@^Im^ve>QVR zt~E3rEmh?;wp<@0H%guHrm)X&_wZe`Jk~TdB|x5^2Sr2t2T}wJJj_#XqhX#x(MV$> z8Ay?u_}5cX$}ms8jn3KK@(ZwF>_LY1!4c|V*GCvkAO zYEy`u|^u6D+Y?}j8)Dgy}9K3xw+(B zquG>kpe|dvLQwXy0YLVNT6^d6n^yAhoW^8)Y?_*>l*Ol){6f13mS4oe@(b36BHDlR zi?6gV`Gt1TVWFFtDtGE-7|=?tCx3Z6M=dI~N=Hf4ZM$gapIu<2t^=zDDzU705j-Du zVz^UM3ULwD5>w*MIe~D-yoIjRe6-E=9HiV+Qfns7c`fh_bd-lgP9wwiW6q0KyGr8R z9L*-QwL5gMB#Ew-jMAWT2^L8}t3B3%8UksrQNUc~4t?t+;1_gDCN-tG!o!irl7RqE zUp>oKoop3_t6a63o>8_vC5t^~^gqNlwG=(7OtgW-Q*L5WGYqh~HvW<}LCSn|-F9Ra zmjNt1e3PU47^zoEV%T8CATX(Tm3saw{G2mz9K)qLi6z+eQT!8*6;WMYNYhLzEwk*w zCHThY9zgO7;TSU!b>>PVVdOhtbgfNS_BNe|iSatiA?1W`XoL^pRa7rud5%N&pNhbD z-1(sMekF&n>YgvEdufT{!mF-?G~^fV@lh~wxJX0JH+?DU9G^5n{CCc5JI(BtzbrYn zh|EwfMz;^(s$R*DrCs5MdkW^HQ;X!6OH%HB2s_QeFf>uds-ec6>DRt(UIaH6-` zlQQ~3mZVGE(}-yGd@0k6$rz=;!M0LRN)vAcBSA;V60r)HqP#$t-Tj`#SG6q75k2K3 z-jp*}r9&oSQ(CaZx!(4aLL(WB$f5TeqFcS>dw*Dcyxw_bSfxt_p+#Jnd95_59hiXC zYxG9jC5dcZJ{5WA!I4l#j#NpA0 z;io`)V~)7PH_gHn(%fFOfkL*D>F!n2}iT(a-Bu&UiQ=L~Zz4 z3{E~1sHU{1D>*r1?PipgkB2dE>_j2Kq+2}Hho5K8gU2AkG?sp1JUV6lA7bL~n5|O+qEgNo&BuqgH32!x^E<_T zN-hW#WsMtKButPp)r`h3bm6QYOIUFmm7u?KMY+U=(VH6Bx#Ei#tx5)Y+>bVVTSXph{E+wsd<(@GA&3AjtGhm7DFE}5^SQHWB(NvrAe zao%6@1mUWgH3Y^~TK#RA_`OI4JWZXL4q^F`3A*6E4LkNO265B{jx{N^yii(q%ISYo z+9{0EPU`}5tT+8Wo0Xs;zv_Vjgv7AY z3i+h4pm!RZ41ZeW9d2bdf`hq-^y~Xw(t(2y+$6@1bC{^x9+!;g>_)CtD=vkIP0PJA zjd<<;qw93%B@9-k>-XN*A_5y)+ry*do%HQB+!wfG8gEWv48AWER*^mZN;RnzY%l z1ys{*F-$nxG(b4Ojg0Gne_cnNTQ02kXJ?Kt^N}fqsX5}!{dl{mkxotICVFdsRx~Y_ z29nnor-3ZI_c}Tx-^g~N+rm4>_L0gdSZJ~iF8=~^Y|hE^3h0rZd#M$(5v&XocKIm7t-|Y*G8^6!mRUBHXZKU4COC=u5XQWi@@0M zzu)Ytvl4f?iqwbCm?>H(3dZe9%CQ3m1-IRQ{qUa2jOEquMq$cKn*pFVr7COPJ!pfq zADL~e)OC_}BV@*H8JSRmt>+w@N#pHc5E?l{Gp4UMbU5IY`RdH?s?SJT;*ry8Qb?Kt z;Q*=om0X4l-N}?|H4Sz9R~2&KHqwZB`xd3w`~K>Jlc=RG^p+fNi(ML0iAqdeG)kHp zkzdPa>jHj8yD>y)X$q2vamdMnsx<@;DIpZE^ekr8_U*Wdt}g0;0>`@giM~O7tu%>$56vXxhml{1|vl1>)`;d{2)v(vmZZ; z_bpohmAXU=8#hFW;sufUmn&ZD#kyZv>>xcS7*7S&2iqC>AIvz7iS2Z<;*@Ws>-@uP zBx<{A4Nnubf4sj|sDMsgGuq|T8c`eK4Qt}rZCDmkM)Z^{pvJ}QS~^!O)&g!X??BRl zR26#2Y0tlNb%ob;x?CzwF+GFyrCHiwAHl6qxQj*B5{7>^7@?& zcm9PWGxHm#B(Hd$&KsJ)Apol(=WnZlG19q0i>lRY6Hv-rp=#94iDdS%&_f&5j9v31 zC zy+1jzqUD)h;bB9gAB$)H>l8{Ikt;=u8~BIS|`PprlUNh?1Bx-FFt>+&@Fc z6}m4RkAUx)$OF|ZD`snCC0u4^nL2|MaQQ2}?)84tfq5kLowa{R)FuG8Fd>aOhy{$R zeF(gIM6f`VP2qK*#?5;$iwg-@*P|U0@L?x1fZv!@(JlJ+!_{i~)t$2t4WhQNL)D<^ z*OfoS@S9YHOmxniD%s8W-tiHIfOIswT*#^(lPdf?gabeh>3?CiXjS0{<(km`^@HBG4e3v9CCxEZcnpM zDewQHpPctnfu=4?r&2dR{X*@CWt=N*XO!?x)Kpke6nj((T>My-YY7(@MEN9AKZZ6< z&y%a%g$**U=f`p=A>qL!vI#37n1GTG`GDR)sz6~Qn~*Z_uUOmS`uAmh2we=%)# z6ozTyAmeCv{UpOFt8VIMAPm!>Z7@vB5MgMBe6)umBs{G{$wN7Ba9?h?@tm_Zt0OUs{d&tE>FUr2T{dDN0$t*?Ia&Xd@QlL-BF@egoGn zGr?T)v7(e*Y-k8v?CT`q!R- z-e54bgD@q{q}Hrmy;lGcvSp<#*(g$BnRBz8mSzB9L^U8ztC%S#GI|Q?vpEltGYj%I zCO&eTBE3H;s^l5Z$s$+4{l&$$esCoEs}A*?FD$?a724vzGs&C1_xU$WBthC)#o+Jt z_DWKl#+S5;Avod*yU+rViMJHM)FrU>%Q%xPNbua*mQ-pf>{?^l1UIjI9K~U9-qdV9 z7I;G$FavNycz`K2^P9s73j3yzGm!#)eSbRoXr8BHZUXW5o!56_8gyk<%WIOYs#ngj zJlgl7Oz%4PRT4D1hnK~K9*f3VH{~0Kc)aFX3^VfX-F<^N;?djbUTL+rkprnrjlp_N zi)*5)AB~UJ0F|uvK;xr%yG2dXKfL$3%#Wd}DXouxlkzzIb@Q*Cs~M-`FwdQy5(!B% z-ep(06L6q>zQ@2;u{q*Ei88B};83y!`P=a3b+iUf;umau!1zn5k{(_jisjVk6?nQ; zXm8@1>->-?c1Oqw59A;>0k7VERt13(z?FSDL|ELxtBIB$mHJli*83@hTyPFf8b3Wv znSB0|GfiO2p={bUJ9;&LQtgY~RhLOOmD73-y)Ks;N}6A~E)uD78a*aNa}aiYLdZV- z{aiEd6UAr0Sx{ZkIB9r;B<1s&MSWTJ*{pQH&~u9e2-k1q1lDgXL@uh#9bOQr(g-%W z2dkzvA0ECz(Q;zEHzw(kF5#KTN$qO)_$bs0CB+c0JT{Oytt#rX^?Y{znV-F?2l^=9 zc-?Jp*w|<5aWRm8N~RHyU>JDRFtP6u_+!`^bimG|{U{u!n?H$?hwSsBhd3^RreXHC z-`}D;!QcNHkGg1FG84EbKL?5BezZ1lr>*4^hRz_Li+{72CRJ(ntFm~ue77KyfRcA{ zn`y&Y)o1HR1rZq+RGYQ<3==^lW<(D8i3$%kdvJ`{1_s}epI5eEKb*>ITkWvfLR)@3 zFz7ZZ4vt(vHNFUuJ|y&%2l_jNN(GyDSUFvL8~!{V^nom-6;X5zt^TckQr%uzRne6% zwcVh2Z!J}A4z9MVc^GY$XLMR z7tr8c*gS5~7u`Lx8dUvxu3EX=}odd?6l%jiz4W1~No?*BLVYryOh{bWcC)J03Q!ZlLQiJ_`?4rascQt=HN?QatZf5v z&%k>)w$UG*?6omOUVk&f&x;AStu`r%e%C&*YTJV-i;QByiBEw`ySu2LR8XIoT1h4R zE*9Gc3J~TOeY`%y+D`5-D~cHDC$P=4>TMSqx07<|ZU2kb)kCoK{BhCeOw_5%+MBTv zIdlDGQ#H{+9Atgx+J3Te-{6lkahiO}fgtLS6?C9;=UVYC)NQc~BA!uJyLw5BxH@`L zQF(?oxrOpAn`3teZ*jQ(ccOc|i1`PMnsw}8#Yz|7@$|Th0Ugf%RtTCz(1mQ%&1qVvFNTy*1fFY{>A>`d-0rzHkUC4 z{1EW#7zvP4*iX8jRwE*rd=iQ`we^BbwvobK*a+v5_XLCZtjm+P+8Ygj#?6p&yeBo1H*mqszz(ol#A=__6Gpjoq zlj&mZ9+xoz%W%PM;Fov=1>1HL7anpMas%lJEQtg|+K>wxv6?<y3!KO}xLsaqy8#mh!GXMzvMm8~ zyPHXiw^*1^c?-;vvW%?eNn)8r8V7ex4#*!kR<;rTw;`N|O=X1Yr8Hr78fhH2-^q{< zfwXutd4Ij&utrl~`)b##U!~*t9T=%bV6%ba?1^+sX0oXa-Ie24+RjnNdoLN&Njf4l zBW$Fk@J%0SeUn!~hnUy~xg692s!F31mBHHI<7w+&y9y%G_~mL2{vyPrzhM zk6y_=p?kC8CzuX&u77id@Zfi+tGqNKN~9q4W-uE3_VZjH$$-;nE}kb!xsdibeDxp$ zsax+$d$b*kOdrr|ad$J+xA;tLjc`O8;hZItlAAIPT4~zeVPigUQ~A4{O#v^>7No}v zod9e?-;LcW+!YQwMySXe<~~5QtFj|1sQ%&^FQSGlTf}2L>=v!Oaj(}1Qg2Si>-UGO z78>qOxI(!2tyO1I8j}~5wb}{{Cz0kWph{S9E7cOCM@=@@b za7;(g1SxCBK+y6^mdla;PZhT1mK0!4q_|(?sX2-EDjY_lT^*?k z&VBEQ+w8MCjSFJvC2i0;jze#4**rSfV+Xl}IO>x%PEm5=Oaknw0bUT=Zc$PK4e1W~ zFJ!F3&{#c1+{MtDvfIb9y(tc=U=tl5{Wz)*RTnQ3PFb8MLZFPJ%0KabKm*dLSgAa$g5bNmgXp2snfD1l+aM=6xCG!cg!$ zEEjP=98ZqZjMNwM(#`ivk9|nhZwX~Y8_grpUdJTCdR_ROQckf4a4*pu)tS05YyP>P zf{AU~VciKbTm@wT9)>=m?@ck)7QSxw5OX#!pbHUDq(=8B5x%eVNX~30|vwj#P2q=ytWJMe2-=JFf zlp ztNKoGCB+E3qVd0=gt^U!tC@BcC4HB1BUCu+^Yf2B0mur$)M(tu9}Ww17I z*x7V6h)sA%X{h46a&BQClnVkFERjM5j50pZ^}vitc*x~Ys!ul4%xIQ-g4y+bgo|a| zknY)LT+?wUGtIg>Ik?f9Mexc2@!f$nK8c6rUnw6|I#gA=1F^*7GMx&LBH!iWB?Y;C zR(h3QMS@~i_Lum60WZzZe}pT(#B+;EV{dMp`I5nEJ$LJq#smZOzQk++Yumv zh;rNoX-;az`;=|qNt-VVTfldfu;@kYD43?C`=kinBD>TO@5_!9iSHS#ePtY(&k%`? z^8hbpQksRURZ0zw{>XHiave-ewY9OQ5|#NROO!t#ejeyLPrQt~!gmN-jnBzV`D4Dd z6!CC~=tvONb@{l0*+cq0iM(^q*^WC70%J90oxc#VqLb_T%H09{B!R# zCChz~C~+JT0*41JP`;RH0_k`1-aC|*HY+rphtae*?f}}3Pxf}-Oxzv8;?WI0T|%Uh z?G3(A>_LVOzCXi)sag~%lGK=OE6$0fSRyrn`GR(Tc_X#tGJACo3r9s
`arB2k?}68ou!{e@rk5^3fI?w`iSd&BE&9V6Kv}*^u%|Gh*t2ee zh8-tF1JXuBiYA%QJ%Gd&o(ALtTrw%ZXlXsGt_0nX`7vAqfe{*9?*hzUU;u1f+=x3*!4dKRU`#D@udi0crt z`&eEA0;dgx6^v@nyeONG=VyPxMZjz<+Jul!Vs|~tkv}IixJTX#?Oy$dAeF!mD2P*X zH7iX?Mh+y6an%B67n8geGdcVyNKT}LntO*kGwYyUCxUyRd9#hhkHW@KZ$g-RTtifp zo23LeY4OiQLO%+_L=P1^I3{jkR16g6)m6Ldc&Mw?8!L2KYn>BcPaAQkr#AsB(hTiR zW@D<^o2L7WH6m@yiH?FM)IVA`-Fxt7AxsZV2*QUrPeS!I?VCQFRoz^`MP55~zH}Oa zo&y>JJzSWvz3;t7!dYk^IJ8L=#r#pC+&)4^Hg0mvlBsA)@p1h#5wn5@7E~lvr?FZw z0rJ_GU&b}0(vO^s()g_i2!w-6mzq^k! zQIfh&yZa~9;5JL6)vr9l_JX&5pP^MXf85$tLNzkAJ!Bc81GnukNy@DLL?fl_0YCOT z`E`$MOEDhwz{*Zj152=;y93j$n#p7*DK3|7wlo}dxU+a9Q$(RHn(5-u9spl$6GQo@ zu&ikrlQ#8B6fE%`IF>;`ae?yfG4sSMd!?XZw(KiprA-mgzR7Yyf{LL{A;G&qL( zkjlQ9CUCmQR9V%a^!4L4Wt^u0kdI_XW>*lep?~?*#uBU2bS64}-tQ2u=Sp*6Kfd>9 zPFb){LRi2YGxQS0n0pU#V8o&;^X74I!GY$&c(9Pf9x0H z^8_+Lw~2qPs_-)#cuy?bo>+=O-)C{d{jtOO0p2NaRUsC7;mq!vwjR@GD!A)NBkBQT z;O1;6LQXR4tnOhM&CSJ1XtOjt)Sjf?V2~+(cs*>R67sU;zVa9fzesKb2lp*a z%9xg`_!&alva;`z1d3U*(hB=Ph$GvwgcUR77K>>ntT)u24bmC%x_MsPk5rfVxX)a>`WfL0Q0L;EZSVO)NBi5h`lnfJv z@{vHG-4aP`-$q;zn*f+rlH2Yc(&I8S%tfGa8@wt5=o}Cl0b^+bwBdwS1Q50;xZnGG zos#x09PO1#Vk^?l3CO-d`FVbQr3OflPPKam(P&_TgZ3&VnoX5wrywH!_fC#a|8vu) zYy8(HIvLwTrN?3GJhc7wg_i*BfD~!qDby+5{%v7`Gm4}q*@|@V{FC_zQTd@%t7TxY z>OLQx428Lekw7J?0D98n5`Zi-S_^^~NnS~Z@dC(&xI)_cZ8<4gBoQ`vEo1e|9&$!; zjdBl^5ZC>obT~Hg`>^_1^r}I2zH3o@BDWOyRA~KpX7j&b1b94}UM0`HSsXp6f+-p{ z@LEpIN~e~Eb(f)QGLP)}sj8=l*2v?Lt0eOaT9#PCx`98WTu@3mirVe6!z?NbpWf{Y z%MS?BTB<>sv{!A_FUYjk8*;hE=33z&9MW3zP0rGhNSa*h0dz#nj}tUL8mYAVp5 zuvuG!XW30{=7#?6p2gLN^u1@`I39�{i+*I(;0<=;zhEm_LC{ez&jiU5(3wTKfxEd&frK_xosjOvqZ%vJpsgz$EJkPPbseotjG~i%9 zd{suVRkqc(RC3f#Zxo)LX@GlhnJ~kxF+TB>pzvWuv=3k-OB7MqVa=12ZNa2D^T~V8 zv=s7o`RVRje`zEB5Nh*h==NR<)Yc}1kIEb|pmiKJm1SG6Q~Gpo0gv7Mk0lG9!4gZe z0D+~z#c+M5V^gl5(uMwTCQ&iUv5;Kb$>D(+t!#&MXe&~q_X+zk+4$?(${ebtfg2qTqrINJS7UNql50V1(}Zp z`bma~Dk0k2`XkLmR)bg`WQJ~}P>o&ex#U9R;5>Iwc(fYK7}dTt&RkD!q*&}++^HIT zj0sjoc6=yGAbYKZNjrxX(xPtC#&ki&%EPhfB)v|pV8!=UQkcUPxxZN3J^>16Qk}1? zu9EqEe!P+{zK|-(&yYCV*WbcHd$Z{H2t@g^3%U_8#aydsLU=w9Y|MWN`7BJ7Jqq0( z-}`^^bJjWAA1Er%eogiCRK$OY=1H+)(q8lDU`24Xhiag;$;z4*x|*`?_rlOLH+~%E zEsh1xrb|rNK218OzBNMXph&bjQ7e0|8ubF?B5h4S{_qvJWK=)RREd@>R6S3<-+y?Q z-k(r;oG8&HU;FNtUa;JKt{)@o> zIuAR-NA4q}^*r)L0W5a!bnJZ4Q~3YV6*eSBS05<=fLvH$0L0&P#oEB!M%mcf&gwU5 z`M*TP+fwU*qviVL8+H9sNof||f2ckFyoN6m%Gm%t-%QAPDyszlU%lvlw4tdLIMtTY zM=QQ$iq%>QEoYE205dbIz9sFJF0Ev3O6vDJpkMXR0X8znQmd|iwIssi=kMfoFR{D) z`qYpkSgx-0hx27OXHV{o+gGoW-J{u~Qq}e{)6S$5I_nxp&a?%uulwgt=Y+r2rQT=I z8R+qx{q!y6V%G}G)A=*^_6Y^7qa2*$r+0SeG@K8ftR@s0j%Lu&`-KaDb$7;;c?J60 zay(~m9s!jkmU4P~L`Zlg2b_W&VRpdJas?P2&q+oAC14Qq6N-=14jR&zI5_PrCk84Y z0t0=}1(p{=8i!ACCSVw5pXal$F^h2uS8c#SE{_?G?9`ap!(zbF+XlS%>^V!~>soLp z+Y`*|ru|{yw86&hzvrTVZj^!bh`-+ zguU$D2jJUXsId%|{CbnkQljY@Y?<#g$GlDAGS?Hp%fHXz6X2X|87cr0Yf{-qr7-% z|96^*o!B!9X|lTKLR;&=uo3Z$sG^QcSCNWPPv{y|O>VRBv^`KP@#1OFT`)u1A0gLJ zuAyr)9qbjAbZE*>4z|C({c53e91NPd_|dFR6jIVntZfki_o{DC)!HS2KW8=GRToNLd|z$@TL_0Jk~S6 z6jNmaa{PsMP<<@CgS6#{e@^zlR!MlsSY~pSu)d`&OU0O9Ax4?Y+RKz?gjPE{RO3n$ zq#O3uu_{SLVT#=4Nk*Y$@dV#m9n*sv|IjT=ZIwY}32}YQ?^oS>8eb-z7~^)hXrfAEJI*bGZ847%eh3!wy~Q&VUvjs4WWpSKkcg7wtCDc z4Ad;;K3~RyHCyy>Zd9tYq?KjI((Kl?6}w8W4H@y{SdzAnj||lWI|yZa1fm%Uk+--! zI-;Ha?2HoJqQ(krN8Pojm2jfBy4apyjd@;aqtWm?Q6UF*K#VFDSXuOwOK6_7DO|xe z$2bL-2IOsoLM$Bz?Ref5SW))xNpYS<5?GM}@J@f4%J8St+z!*H0rgOVJtfhQzB#+n z?e6IkwWR{=PKSOx4g~Hlhk85?0qWKOI-QyV|F4-W<*XLWsV3p9WP@Vm0?yO=OWi3g zXrSw*kcUJsSenq$**}#Ww?)%HsG{6 zFv40;r#hs0u8#iO-gbGeD*oGB3VE*50NtH$0yhAP6o8L`Q{eCZShMg&0ypLVS>uth))_(z^EmxS;D!>gI~DqI z``2HkP>d&k;E(>mb->W5z{iR=nJ|O3>3L)U5(KNyiH2*`b~^ z@fWaK63y&`MPh$D#L%BK)9#R$ceyj8AB%z)QTw|qp&nau z;_Cn%pFPYGrO`X`b?Bx=#)yj&qzrTwgE=NtEm>iOa8}U6KTO`0aj4Ku{$5lAdPt#~ zTyfy)0GV7UEfi(YJ9cvFW=)I)Pt6dmBh zm*kiG=~h+~^1!gwZ{{>> z-pV~;E7T}nz&Umw8x|2GqUI>}D>@R*iSSdVQjs&{xdFohV>yu(FF6t}1k?de726cg zj%n$|)z;J+#z>XqYHKoDgzn-Z(1`B&-GP&s> z=F_xqa&ilV`_~Wg2>siIXl(DSdLbT&eGDaEktHGTzz9@zZ3SY@Es-n|MHT`-EnJMM zwf<~Wnf);HRs&lgK01Uso+a8)XGJ3U+g<;|0xz>n`>+X7B`=vz@jv2ByBn=Toe~<) zDlYoUv;gKz;_(%|HF zRoKvW9Ae%SsvMcIRuj1b^sGU{s1P2uOuRw`7@94 z#>9RH5?*ErLx@np#lW{{&5`)%^G>k*TI1_DC$VuX4>b7Ki7%`Pc_D?3OE8b~3s+c- zj5UUZ=Zj>sIae3VJoxGuL*E0fTlUrwc==N=pZ#P7~hA+tFcL>=aud-{B#KN(thjH9+riz5K4Iignkh98p2bgeA{1|6^EO&{qj`*wto$ZD}du%#Lf$*n%etL74(YNqEKX)UM zfUs;2Xs&0m{Qs;Ack_ub@N<BxHEl za$c$luhXDeifI+O*<4??&K8|ltD*+YZA?9EOY>%&`TGp=rzyD{I_~EI%OH;zC^PK8 zgNhLQEE$%1ZOGRR!CRFvh8FH|(QB6iKqVU-cS;I?w>w0eFAFP(6i%gCu(bqmKAdR# zDzY|&T3N)(IEWKS7F0LkcdW?E>J{PZTc*wXi&!$Uzrj(F?LfsG%w>B4yf1CoFHGdP z3st*KKQ3B-mrTkTO*H~St@6MfH)&z*J#93;F?BY&fmS-MgasRH_nW~UOHyLdBlnk( zC5O;@O`X=%W^LUOAXm&~G~J8Sq4SL9VrlTLvCz=X)Iys*Ir8db$WFOo%=<_|xUfWY zIUqCk(}`3xD>Bl*Dd5!Nt8CktpBAe)OrdlHMJ2iw3i>h!y`~7PAd{WQnhc5<+4CV* z4&8IEQ40-ra`V2K`3Hu*{rU$1X?29McflxSgHYgvsmO1EeDDVtq}VjKrtXNOOrZ&| z&vTG#Mjqq2;W<#%9W8Xy!d^S&UHq*rX zKgsIJMw)UkLM3IMjo{1k>vVZP9mEPO>LV+^AO^uvozpfU0@=HHG>K2xRGhUy?|#h( zCZT8$HZ8Y~S^Y(z0*IbxxbHri>;+=tvCqY%PnUWG<3D=K&X?#QrT%EJJV5QPoPVN{e`>*!#6ulLrOv<#}Yk0z;Hu_xQ4;L6{ZpjwHAIH&?~(e@6Etln(x z`J|*Xak|#*U0%+4xKJ~Mp+MHoTFT(vlI5{S{jef*Kg;~xtld6qriuh)ng`k%9NmmJ zk-um)){Z)5K9tQkZnMXZ&vnQfgDL&)GH=G@nTUH{mokZe9oBX)2h`ON!*88jzwd%N z1NiaT1iH_}OTKplyKp%xmVsVcUUc+Nf_nPx4i+}>hf-5@@U{<;Tyt-%RD169o~A0t{|3JLM*vG3p77QrInD>>BmRf(BLIg;c$7ps9&iUv&I2KVz#>1 zTbiOcugAm;=Qe9h+9$pS(ut6%wP#T{JjztJ{NEhz$PkG~1bd zKB4D(+-#WpRP8pCwns01K8cxOTyQtb$OkdtO{P1|V0Eh;XU||-{`F_Ba%oRHNBKN^ z;3~^yfvE1hOJ$y3qctgyPbrh+0{~gXQKr2$>dj0GX9m$(xLKo6T(SYlEYyfccujTL zvxY3$nmd_@X1r3Vqc%b12Ay5VC=+etWh@fvdB56a#*qY`Yvw^T+B8)1m4RZdaLMM$ zpo}yb=mjY*aE9AWPQIkW=5^(H$i8gAHa zLng~>{~h(#A>c2;DgyQZojanRV*Hy%r$M_h8ss(173_-io>1q(?-=jodZWc_lheQ`B+7z5bD8#p5^saTy$A3ErO0krm#X52-~Ohrmg< zDhXR*=~IJi*6?dY(ys2%8B`TSHs_oNSZYXOyy4PUnB-t~Xeb9%7Ug@Jo=XC>MS_l8 zWp!ZH76_nyAjq4i&Ir0^B`Sz+PK9<7v*1%gK;B-1WI9rru{{41N@Wadb{nJ`e*?HN zVFbbM$ZCogH7o!27NNjgH&vg>5mf1f1NpS4<}YCaFREKh+0AhZv_zl; zBhKs@37*i@w9bjiwS@MLOPsIj*-LM7a5v|X7jQc_y>+}J?zWQ*s&wIxah~}lo;hmx z$8liZ5#a9C3oc>rq?ZP|Bc1ANmF!g=lKPwrt*j5+S%;pXorzG6-gAqdfp)KyMfSEn za<@Wn{~rab-oGOsGM(jI>pL6$e7!@#+hgszW5L^_W3}fIU9l=%F``*J7F|*J|2o|; zYyYz1Pa^fC{<$$oU#T0?;t<{}a;_>{iRkvHrq>sIsBr(O!LuLM?HQKY!Eav{KJTV( zESKNXQgc~s@~PcSAoY;jZe^;~+Ux7+O}%=!uR+Br8C`cK)on_Cxh#ClQE|K+dx}zU zI#qN&R(y_7xeuYWd)A13xj?@2m~y_OJlJl`GL$TVzS-;6bTFyuQhw-CR=dvDY%ryw zUo<@qrphe}lEw)hlQjOD;F)?X!vcRS`|i{wF^peLB}Yw4290_%o1kh|*exLK;d_i+ zbVMY^+seViUxaOUq|3BJ%8;)LN>&Agyv@##|C|JjY@wnr6vvO|wpc~LU;rj*e<5l^ zaDq@1?D>s(u7<+kz&d=%*!bLqAJ33%VO z_v8LZE(`hOYQVh1b+?NuV&65Y;1%RH^=3eMw?7%h-3O5{SFD$QuT~YbDvG4iFF9de z6_ENMmrDQ0&{1WA<)slqJ>8HLwyQcFO%#Q)&oaY4GP~&S2-uyH@G zRIn`^Z(#Q0;H-oocq0Oa4kMr*7Ci`=&%FWd5Zu(&57_&tueTc?K@WrJHSS}G*@gMd zzg{0m#T4%VsO}AZPLrDhy}8KEc6-dqIE$lCM_sA9IItqq?n_07(u+`Dh5+qKXzYwA zeFN!6?@K8#E#vXPC$RV_lbwCAm;aI60;X&6JMh}4{XaX%# zuL>_^zIen#hhNTXAW>|9ViF@AD@FA#g1POvT(>c1t7Iw#A9UI?5ACq7ql$KY>+c+W z?w*WWQy=BBv?CeQrFr$G&V>&oN%)KtL;Mv**(y160}CZ~LeM*g_>x;-+)hHpJ!JM9 z=@04Fd+_X%OYsH`K>HAur>nzgGk7e)^#pO|SAfT2{aNIvP*nGV|2R+rv3Dg2xTAu5 zYN+b}HUekDoPRPz@5Qp%7@ZmXn3%&?-4Ax(hb0bMAFf}22p7^nyHoDmWS-f+sBc~^ z?^?eQ5aM(4Bt=wJMW`0E8zmW2J4W^-~WAHMK#=vw#(=4(Dy| zVkE6U#0XNl90MI4NFQ-f@k+pqcXd@@B#~&K1~x8>mqn5GaFLFdCOJm$x}6mH#eZFn4XO^T~R$7B6!=+ZE-4A6YWiRZVCgb zj*Xt;`xB!%-#~EG@fGtX$!FIs9gue>^K#`2e|jQ2T~QNRG>WLm%zuw}uA1VgiA@ob znhxHB^(M%7q%OZs#!LN)QGHA~$x{cWtuZ0E8&`6~gg!Y4lP!Fd^ zYrl};mNzMiQt8MR{rLvDhqkst__{X&N@l_dr@xw-e1JzRWZ~{W3hOUM#$iW=jqsWN z`uBp38qf2P4>{)1oL357HrPN(+$z223X*Q=5imPO(s$C=_8rtUdndHn+Mu>$RHA(r z3T+O);k2>aV!fCZXN*{s;TQr^t9Wl~+54$dlT+Xq~|GK;O5Nue-KO2x%D$GeivND^y4rgf?Y*G-ZS z(qpjf28+MER3x(vpjNnX<#K*_f;|OdKG>9jPX@<+wF>na!djO>?(|sZ_3qx7_^_Y1 zFz&uk-U{cSYkrlZI^#aFv=9FWei30v*&7zbIi}&~8C>cD9GcteHr;r`z%m~BC9-b# z;?&l}@vLy7I<406;B0kVZiJHMAB0ev6-z>%m6Slb03@XWL}HP2U$JZW7Ep;9tnNcN zIS_%5`eC(v7vpS*uO~R{`G5OCr;@nv2SGmqqc}gPgty7~r@FVW@JiQ&4UjuRE}@*6O`dJU0?-YHEc81%-l zK}iciTu0m%U`|gXAjXHZ6~c5-B$`qNMZxZjal7674wcADMS^s&3b8& zFxWW@?6KJ(RxVOk`mtRredB^~^!u(WrHf8U%jCPuKG8f#K63ZMY9GV2prM`JI*nm?{}6?90UKV)R?B^2 z9X}3eATHad{VBg$e{p%>TU#p(NEeC}{@{o+{grO4ex23SmKfwacR^Ha>fu+_mbk(a zT>H@c?c(O)?BmAu$@1#p_U&TJ_w|nI`L`qI`t|xz3LjIu-FXD3T~CR)qmIxdk~`bW z5D~#AY9aZ7OmD>(zIOZj>+*2nZg|_y&IzmX9X7M=%iqQnmC9wFdm^N#&Uc?(2KC$U zdXwWCxBOd6ud-WkY&On%enk!Cwq-)LO?t`#p-#<%zmUDsf%pFMs`^;Nn#c3JW5gwS8lXk6Hz9Devq;5s{L}ue z^~sycs??j%xOi==(HTW%YRZT1;=D71z?5ZJa-;p&bM9*ZkQbM)H2H9spG}Sxh@;@51ik-6KKYOg%kUkC9nCww}(t}woCJf z4aA^;W@}7mwlC&tb-=m{#7?66mHz|rQH-q}2lxA|TIzv6m^C=qIqPwsi-S{H4k+QF`K5DcfTBZZpkf!))FxgMuHoQii>Es!>G<)~xXI|MJw zOnZ+AHpTE506EwA#W5y#MrYP;~z<<*{!dTU1nZ$nV@ znv?jYwubH_zjwtSrIjVeBjahm2*XLOH>WuEPz)sWu;Ww$fq^Tt^4RV7)0hE6wz%+uq0+&5ka0{dRgKc)o#@XMpW%Tfq)yaQPCVw(F%=qtBc(r`k4}4U_ zR10=;3&W?BQT4`Rs+%1cQ^od^^`^g>32f0T>iaaGbsX1&84)|a8 zo)j{fw2s+2fJHVeh$ilAWp%W^BNd;#unltKR84D%L5KGAa(8g~yk<}D=xlsx7Tn`J zPMhqZhgH0}XiB2N7^1}&S$*W1`QG2p;VDE-YwTlv17+GIf=r=2ywGqU_q zyXwBDnK!q;^6}c=7Fq;*1@Q`pB6-fr#f8QXsFZdj_RWhGGiEye_XRMZ7(VWJkTV~? z)=~M`2Uu(F=2gvGM%o!x?|7z|#2xRh3@70gc3Lr<=Z!h`VUQkD@-y^uH@*DwfLL*w(x+)R_JPh3 zcUI0ofX_UAE-7~X!^(t_+y#}sepH&*i|zr*vbcK@zb{n#G(FA597x7QY)}xXyfr2q z+Y=pz_rT4?EMuDvK->r68!zIPLBeOk?;$LZtm<;d3i7}E3@YxqoRUsf|IES!x|_MWWFu3+z4qtqL#2Lj$iLF@SFa=S5*yX zY5|l)#KTNQSJE(=G=_Joi+PXY2mHjFUL9^mb5$z*aw0!B5c zK6k%A3J?N##JXD(ZD5%TUICU=7?+!R@5}xT?Y&nnGaL1z>2+d7E>dncna0WaXb6Vg zhQ#pUKdx%y9GKxAB=>h{YT?$9E4CTz z><+*@#cHL}zo1;NQy{+rRY%kCToIFwCz#N=-sr3&v6 zFtmPp|HAH!@wSg>rXC9?;G%sSmj?fkkgT?4PMetv*ekcCf&~rxt1$37seYzo7oyTQDGF<1 z#He6(hg)nV2-dMa_j593zKArXJ2%0eb@EXrrTe~+qEJtA!jIh?{&%5>+VeUk=<@KU zzYiqnrc+WKr~b#Nqp9s?Evb{UqjU0tV_aou&KSP?vUR%6`4N>!<)p)SlLxQbnjPOV zFOORC?DFW+GhprIggR(-4pwIGx2BM)QJOXmZhKISs*Uk%#nvFSp0n}iCw-c-qNU+W zHuIzpY4Se5kqEnvN~5Urq~z_yl~+z?36NXqLmB5aBAg_i{pJ9Dq#XkR&PzzJ7dKoX z_wZfGeZWdQjrlAm(EyQZaJ;-^TssBG2A?>?vN}f#meSEptd;A~eqIPwp}MuFL0gS& zYJuO-CuvT!NL3d{i2Ag3hT_3+J-A~*T>js|dTd>>q4nZd3s8;IS(WW7Y|5#i@CCa^ zaY2AliNC|_R}I&by+)}|l;K6G-MZ{lt1@WnbeLn;z2AQ$es_2-w1>Wf3fVfN5Ik^0 zF?t7PUOqSO50R1=vkA!_fA{;zvIx!x~D{7B9hVf7Kkh0jcB#&}@Kw{1*mR*peU2Y%D z`)nL!>N=6a`@-An&P0l9TzmIg7+|yuL{truf)&baN>R~vy|O3v-U97TmL=+fWR0tQ z3F$u*LnP4j5O655-SKuRGA%&|MnVzw2ypb0w4+0sN|W{~a3oOnsB=iE-UsXzcw}zg z&QyAFtR>p4bMf#ZrHjZxa8$f}UIXF--p z4wsw~f4+Vq)Cji^o&q7!-8N&Mi+yABJbSH|VUM0yROoOTa3TcVn^qB(mSKsdRd18K zIqypaRRJ8tC(!5MCWI~|741(b7^ON%@jcM1r&e;pb`6@*$q)GP;bI(iZ?jg`zJuX{ zySozjEK`7CnO>Qt&_054bsvbwmK3S{v&jAGr|pFM#!H-*x>*~{A?7y)3npgUh`#-v zo`HI*0N4!VOvL(FGC}K+UP~bA1Z@BOz1P)vULEjiqNN^(_kouiT(zo2-skGob&Pul z2P>prjD+(hco|ISBHh~u!KigT6~2@>bQ{ac7Qsel|h42CUCj` zH4s?2mv}r3wIV99H<`_MSL1;3k*j9(bf%w_whWKgU37HvifFMuJC7}H z1M@>cq<-Sd{b5y$V~s;p!C0!+mW}9;P=B!$rFw)~&$#OejfVfAc}lpZG%nN3Hv%9K zxCYZbRGo8F@BQo*!@CZfZN8Y93=XvKeRk<%!QAQ6Qj#E38~D3bNVd&5A$3x>K003Z z(bE8{i*3A7d@igaqQ?}2XC{kIaB5(BTil9MXmoUDUHV|Ir|wtLqSRtTO?5d)igtH* zSi%RpDq7fZ=cehHwm7wE7r;bm?VIs>1f>-sW}5D-DZLjZfi|--tz<_9y<|J7Ndc~O zT`d*0S4I9`eaVIhe-$HrYPr~mD!&D#dPs9!`Wcc;Bi#;V){E zEw&VMEqv4RkI5#Z&%s1a>IaKvni_sr6V;vJmGZRvKP|@7Hvjf)Ut7$!SO)oTm!?;{ ztBGK#=j(`I)s#Y2;zDeD3(WoWU5tYay0=B5r&NLYaSh(H(U8nWe-m>6kBJ0tRHPH?QUPd^D zv555x+ma(xRTO7iXtkzFRC7Qg*4iI-WxsVD!I7E#>NnCv5u$3F zpypfER_F~Jc4u%`e2cdMuu#2x!X+mGk6Mi?N*;X*5FvD6G*}vKx}dd!dS~_!!MQx$ zJlG1QIDIP=KqI-HT}lAfw`bH$SPk!vBL9eg9A`6l*MBtM3ZfW0>c1ed%V@>$*#dd* zZ6lqc# zCXSfS6(N32%oFjN3?lhRew__3gEWeC3UaKEwzmoH+5tZxF>cZ>96^kl{KC^wX8-{7 zFVk-&?{1-3X`q%2(LfhOMmdq2j+tHvtw~x%<39_s!&{h4`nzNiz z`Wma#s6fcl!JTk$L(S7vHw?!L_PG;Z09i}AbqbX#rjK&U=bszAs!V|zo(<4)Dl&ITvi4@1-@=nfvss^H8hyXW1CW@NsxnNHXoQ-m%{Z3X zPtvM7MUqMic|Ag38mX6{Cl{H@VkaN2XQTFcfBt%8Xd09fL)KHs;77RdnWb^`%&ecx z?2Hn-B0fsR4DLz|!g>o)ksi!mptUp+KQ@A7ePQPh&v`&^`#OqV%Fs9EX5`LNb#t+j zhuC|(|NGkpN_7QX zCBejP@Oq97{H7L@Y)u@+0+vc%6b!E_=y=)b5VCkh<*$~pk&;g*f=d88iX=Z)&|N6QoK1nA>ISaV{LUXG&0XWDt3%Tm; zhj4-16?o9-V04g|b&vW{*D~=|*W-`;wJa2j(-wo;hDU`euYk1U{7=TBjVYXbstBLJ zHJ)dLI)=s+Tkql@|5=yQq=d8CPY_xEpw3J+5R#kA%4%DUr-9as%jp(pw3}D_PwM5sd;+wFhk=!h?zV!iP+(v@=;T61&xcGdgNVP985?%i}{24LP z%?IKNp?n2ov#;=!ZsZsinx#5+*{~Sm0$lccV*8d@m&N78#V@h2-3YLSzEw`=JQ80Q z^FAE~2ITrk6;-@$ACy|xPQ_UrlwRGtjd~)atc*i2xhpIp0@;f%OW$_ux46qGv^~@G z{`_Zumj18(&g<(WA5K>alu_U0rmd z_ZG4&!RjRlLU8@Q@1Aq-`R=(hf6P1Q%$YN1-kCG+JkQKS1IW_)(&I9#t+ZL|JcQVY zvG$8d_J}Cxes&vEKa?ha^%*Aj;d5f$Au~AHPaCVtA$*5B>%bnnM!c>LhMW9FW(c&>hO1qP&jP2eRoZKW6GtBpw0rhd8`Me| zDqWSqJ;fSy4r~rXeCSG6Nqt(Q=5YoQg{4wI52`LFb9=~lKa=8S7cp5FK9ATO+$JyI zw$&?uiA~Dz#|9dkrBy5`7%f-EwQg1{rSQpus;)NYbG-j*p3LV8l}f~Z$*cWi{9$_C zGeb;8wc+kD?%_jw?;OE$#S0SGxOF?8Vc9o2U-9O{M{Nv6k~A3pX0b+Xw9Xw!sXfnW z_8I(3lZlb<3?Xe+0jZfCMt?68v1a7su(Gw`co>ggGg2XvFl21FLQ7J;@(5#0;rJk& zp-ItndANE~||amDu!sa|P+BZ+@IJhaJ0t(6q9GeebA#INxtjLlvNcFxHs z`B})uf!@NNTTG2_E-90ccOGqNv-6_{qyZjLB+^r}SgH~l7_atcn_9Mr-mx+6FZbV$ zs;j147XHP>m`su}>7m^!i&;ClY$ohzQzI}aB687lUrJ??zQb{4=igCpTinR$>eKII z9BN|4Fn!9LnO7gR$uJ-8GqDu_7lRLbPG_s~GDk+rSuv`Jn9RygEn`nG^-sw?`+qcD zdwA}gWNcuje{u+*AU`o#)Djn8P>g?)h_mc!TE$#>y+4Wc4WKX3V$!_cG6JeEBB4FycZwIn!@}#TNh- zNiC6#@cGzGFlL8El&F12xf1gF6)cUchMC-^45GfbBx0E!`dXtU4XH)H3rj9#W3!UF z>+QhNq%EeV-J~ONn+U;vau!V>BZS!kSYm4lh$v#vC(WWOq3n$^4Y@FeNMC{#% zj54F^*7e$Ug5pF%A867)PRkzgldbHOkz2yN@~0A*1OssCB0B7a#N86aOYys_m`7|= zW;&iv(OTzBJ-}(yB~L9&5|NHUhfwa36 z?|h;uI!6qwuc{A-hC`8L`!>)#%4liXbWPi1zTt!oW9|23FBYFJs4v>++YP6h+QR;E z-^4%eL)^QsaR1(Yh)V9Zv4Z_9r-J=g`}>Cj=wdzyv=e-PRQkM*?sU@oyBv1nBe_3O z>ZHgiZFW+lm+ZsnyWlsv0c=4Mu6_#~ed|r%Bgk0rp`KIq`I!XpD}@7U95q4 zbh;{_iih{Jkj2^1&i4}>Hx_lzE<&!yI;5(Zamk`D^Sp^=ETEhM3&-268*itHo~h|< zAMYFFq`fCk;VLWF@YtMeym+#wlQx80c5Q?w26Lc@DZU|CuQ(3d;znj6@1uX>Z!h_# ziQ$*uEsCOWF9!*Kg;S1^fg1mT?mfFVJ3y4}eISy4k(R;Ff!@s}Fe&d%K zcws-LQgaA{f)owi1Q?Z|(5b|%qR3IFePYI`8UcRLK|R|-=KVAKzLY}t?DuCOTd0i! zLxTvyY+5_4;gE$%I@L~w!Ch8(WEM5;y8+7;DBq>GUED;M`dkO1#h;o~*0B-nT-EX_SU@a{cOmmlL5|*sm7Q zyiIn;;Wuw0BoHYd@W%otK0pv0XB!hf(~rCRC9efL}6VfReSJ1p8u(w^T)zT%U8+SZz0 zjJouR_;}X)Sxw62FuR(5eDLkg!zO(&)7T5X0xo|cD|hfsLw=8zn??JoNdD8Dw%NA$ zU6f7kmf*qD{5I>0<>4(sdO+B#40gl&opp=i0F~~dBG@a(O)ESz#w2|lYA;dB-ximT zk~mD4pi%tyk@fjL4-ny1p_D!cM3^TKi*^eCx<=I+?dWm|qN2fDbve!Ci1}}JbV$Ns zu~m>brpI5Ad1MECP8D*0d;TU%Jdwjd=xXR2){4Q;Vgd0sTXV#**xUBOjo&!Onn)+B zkyDhf*Qv^|wR)jx2_c$$3sQ=dhj{yvz9BMKDITrAjX;F1LT1bQ*x#+jE8r?!D~IqR4vNg!7=xYl@W4dMbt# z8~ymRMC5Zy3<|tT89Z@BAgYhc9v_&*ygdWkmT7b4CiJpW{3ImmrX^In`-hO=6;_C5 zcm69C|MjB=qS+|~j|6a!IFkTdpf$V<-_xV8uF_LgkT8G(0#lvSSR-*>#{)Ho0Nh1t z-2{Jq_uN9}%+`zI*Vr?PL#)^;RNqiM=e1DVBDy4+b|PXUXhcs_09I6laR+at($@)E zU5LHKAkT_mjZ`8H(T06&iUkGL1z3K0dqma_X6SB;O!#J!>#I*oS_Z316BG?f6Owsr z#+51hfVx%q*BGyjsSV&FcT{T4OFzRT9%B>s591y>;|fN;}Tt^9*WU0!OhLiJgp~zMSKk(r9PQ4L`t%pj!7SZ z5w^MuJLG6@X-}XZwt9{H60@`fi_Hr~g406QFMFTSLt+Sn&$EWI62Rj2jshD(P7=*3 zW4g8mmACZ~z@9@zF4r?Pb6_6J`c1&<`0D*+ouvXLpA%0e^c{@4hBya&0ez;IgpLVDcLDF zmsHW!(k-8jlN?izQ^hrPMdfi& zq}}xvt=&@x(I!8hXkwU@!-8)#oYH~ol~8K2b>Q9F%vNm2;mE#mc0WUF z(pr0OM*!=L2rT6C-qIuT0_0Gl_^P%TQ*DY4x-4933 zW-M-3U<5+CW|?0p$M(h*)6>Mv5MVbweM=}~gKNe(4tSNAl022EHsz+^!>XWY7c5lY%a z9}Eer2RNT@DqJc%)@D1$U#w(l7CVr!R@yM;GKF54t(Mh3rYvVX_SY7VCH(D6V9zWFv)9{ke@`vaamtY-_yMGa@?IV5ty6q(O#QKT{v+ z2#ZM55ZB3v2ELT|Z{l6AsS0>r%pD*qF&0t8nY+C{d0V^WA8oT&Z~qvW-`qq#hxa?w zudcA+#BSih*SY^{#KKiioUiR=+ajIgSyKnB9A4H%Ke-GIrtkc%YPvybDr`7;sxWD1AvHh3&n`+{>#FZAb7yX&d*$ zoAz4)FK@S9exN=VU+{JUE9c;yoKYR^sAMyJIBA zmG`Qz50Yj$1X`5t0nB=v*A7vr%J+kOD3*zTJq1Gz5WC&|aZU1{!-xHNa=|o)FVzET z{)SbOT|2hSIk4G}BUope&Lk?AOoD74skjjtYFYxxO$N0zVQ${dhw~m~hY0pl}panePdDQ4p8BqYJfP@L4JD^}EVLdS#vG_^)3q*EpKr}?+L#pJ? z>DY8dR6FW2P%PTb!8iyD<)i~qFbnD&J9F(x@xK^Fx=!_&KSW6P$F?BnM=|8dG zZdUWziC2x9idSvB=W6<2$S>5O9Xt~PyUF~v(SBRzv~p9&DfqWdE3QXSzSQGRnZN#R zi~V=+Tj$b)a*h3@ajLyvgTDM4&c53BQtJl`u6h2h3Np^m)@!Kc8mb5kY^X)Y1qS*R zt@vAk%-B}ktnzu>hjIf|I;!;iSKDQNL(UHoIkcRo?=#MbW<^ZVp*A(j_Gc{eA>L>lP$C2fG*S!Mpkj@hc6-;gd~m0`Ke(;m|AG@DJ{n*O!2BhT9FcGmFIwyIa{dKWn#8qi9Ftc#&Dg zLME=Uo-DG0)==j=z;=>Hj1hJ`HI)3o0ns3C+WR_#>Zj8WyS&Zbz>^Y{w{u>pfn)L@ zndKUaM}6K}dp%3IOUOXR_HJPTY3rK^x3={qDjCHVwts)l9V;i{5LYYK>Ni!eIq#C% zTP3K%M$jw_0`5QN#-mQol`M1&P{%Xm_S*|Q^m6`G)-~~W4b^7N6l_(0tBb>WyDg-X zCUHYpG+hmadR8U5nN8$T8CB1x%*iX14i2NLo8=)7B|QdK$?50uRvbb>ql4HF`-PeK zyFz?c$ss1@tAz&~!@KTr4j^}c_XN>iX(GzEYm+~X<_sD?$DuEJ9c~o6-z{4$@C~ey zzgzaFPNrL3ye zYbJ;D%Jn3CwC|!1uVxS^B)z{OC?M;IC;3;F;)!eFI(R89iBefDE>M5?7wGm0!?4Gi zWnsW^ySNt~$(YPBtR92a-s|Vipli%L7H^Lb;Uo;`ngpK7=@Ow7x^f247Zya9)Fgi6 zP==b?7?15)Oc28k;qoABys%!BmgcuiqF)@leGd+mDXE=O*((BTAPvi9n?fH{YW#aU zUHfVc^FN+SWzk%U{g%{@`J`SH15T4brWhe!6~@@8tIi`Rm9CEd_A4sd)LY7Pnib^< z5UcV<_TO{*v{fS~v@2DFJK-lBO%+8HHMqfzC048c_zUcLK}`}Wk0bvOf*8w~03w#5 zy}?dZHW#JO5*F(dzrpv8PWhh)A-2#7pr*;&-iMsrv96C_`wV_s+w?iR06G3BK?xW# z`KN$btmR@1$-EokVk6ydsS#C?;bU61!k2M|;iu=g$f;T2P7GDve7YQj_BNMHz z)gRx0;yLc8iNqCkf2BL79aFOg@a7DHn9LlWz8YJHI^lI%{mW=JL)S4BV?2fi7XNKT zH~sagQfcuu!7#}4_1tirYqm5>%SjSX)F&zuxCVShm(8^`JPUq&N^|Zo!a3{s+g8Jg zLsAW+nN*mec$GA1?!j}nid)`U^KneXbl*Dfx6ZPqtnbF)V3?o$Pj)*u?k(Osr3#8S zo5bASivv\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \n\r\n1. **Trend Micro Apex One via AMA** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Trend Micro Apex One via Legacy Agent** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OSSEC/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \n\r\n1. **Trend Micro Apex One via AMA** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Trend Micro Apex One via Legacy Agent** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,14 +60,15 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Solution installs the data connector for Trend Micro Apex One. You can get Trend Micro Apex One CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "The Trend Micro Apex One connector allows you to easily connect your Trend Micro Apex One events logs with Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, + { "name": "dataconnectors-parser-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." + "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the TMApexOneEvent Kusto Function alias." } }, { @@ -79,13 +80,6 @@ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" } } - }, - { - "name": "dataconnectors2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Trend Micro Apex One. You can get Trend Micro Apex One CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } } ] }, @@ -102,7 +96,7 @@ "name": "workbooks-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + "text": "The workbook installed with the Trend Micro Apex One help’s you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." } }, { @@ -308,7 +302,7 @@ "name": "huntingqueries-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " + "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view." } }, { @@ -330,7 +324,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows behavior monitoring actions taken for files. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" + "text": "Shows behavior monitoring actions taken for files. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)" } } ] @@ -344,7 +338,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows behavior monitoring operations by users. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" + "text": "Shows behavior monitoring operations by users. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)" } } ] @@ -358,7 +352,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows behavior monitoring triggered policy by command line. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" + "text": "Shows behavior monitoring triggered policy by command line. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)" } } ] @@ -372,7 +366,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows behavior monitoring event types. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" + "text": "Shows behavior monitoring event types. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)" } } ] @@ -386,7 +380,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows channel type. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" + "text": "Shows channel type. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)" } } ] @@ -400,7 +394,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows data loss prevention action by IP address. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" + "text": "Shows data loss prevention action by IP address. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)" } } ] @@ -414,7 +408,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches rare application protocols by Ip address. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" + "text": "Query searches rare application protocols by Ip address. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)" } } ] @@ -428,7 +422,7 @@ "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches spyware detection events. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" + "text": "Query searches spyware detection events. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)" } } ] @@ -442,7 +436,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches suspicious files events. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" + "text": "Query searches suspicious files events. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)" } } ] @@ -456,7 +450,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows list of top sources with alerts. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)" + "text": "Query shows list of top sources with alerts. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)" } } ] diff --git a/Solutions/Trend Micro Apex One/Package/mainTemplate.json b/Solutions/Trend Micro Apex One/Package/mainTemplate.json index a0ef874960d..d1557a5c99a 100644 --- a/Solutions/Trend Micro Apex One/Package/mainTemplate.json +++ b/Solutions/Trend Micro Apex One/Package/mainTemplate.json @@ -38,12 +38,12 @@ } }, "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-trendmicroapexone", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Trend Micro Apex One", "_solutionVersion": "3.0.0", + "solutionId": "azuresentinel.azure-sentinel-solution-trendmicroapexone", + "_solutionId": "[variables('solutionId')]", "uiConfigId1": "TrendMicroApexOne", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "TrendMicroApexOne", @@ -62,6 +62,15 @@ "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", "dataConnectorVersion2": "1.0.0", "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", + "parserName1": "Trend Micro Apex One Data Parser", + "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", + "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "_parserId1": "[variables('parserId1')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", + "parserVersion1": "1.0.0", + "parserContentId1": "TMApexOneEvent-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "TrendMicroApexOneWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -641,13 +650,13 @@ "instructionSteps": [ { "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine", - "instructions": [] + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + }, { "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.", - "instructions": [] + "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**." + }, { "title": "Step C. Validate connection", @@ -831,13 +840,13 @@ "instructionSteps": [ { "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine", - "instructions": [] + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + }, { "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.", - "instructions": [] + "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**." + }, { "title": "Step C. Validate connection", @@ -868,6 +877,138 @@ } } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "TMApexOneEvent Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('_parserName1')]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Trend Micro Apex One Data Parser", + "category": "Microsoft Sentinel Parser", + "functionAlias": "TMApexOneEvent", + "query": "CommonSecurityLog\n| where DeviceVendor == \"Trend Micro\"\n| where DeviceProduct == \"Apex Central\"\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack (DeviceCustomNumber1Label, DeviceCustomNumber1,\n DeviceCustomNumber2Label, DeviceCustomNumber2,\n DeviceCustomString1Label, DeviceCustomString1,\n DeviceCustomString2Label, DeviceCustomString2,\n DeviceCustomString3Label, DeviceCustomString3,\n DeviceCustomString4Label, DeviceCustomString4,\n DeviceCustomString5Label, DeviceCustomString5,\n DeviceCustomString6Label, DeviceCustomString6,\n DeviceCustomDate1Label, DeviceCustomDate1,\n DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| project-rename EventVendor=DeviceVendor,\n EventProduct=DeviceProduct,\n EventProductVersion=DeviceVersion,\n EventSubType=DeviceEventClassID,\n EventMessage=Activity,\n EventSeverity=LogSeverity,\n EventOriginalUid=DeviceExternalID,\n EventEndTime=ReceiptTime,\n DstDvcHostname=DestinationHostName,\n DstIpAddr=DestinationIP,\n DstUserName=DestinationUserName,\n DstPortNumber=DestinationPort,\n DstServiceName=DestinationServiceName,\n SrcPortNumber=SourcePort,\n SrcIpAddr=SourceIP,\n SrcDvcHostname=SourceHostName,\n SrcServiceName=SourceServiceName,\n SrcUserName=SourceUserName,\n SrcProcessName=SourceProcessName,\n SrcMacAddr=SourceMACAddress,\n DvcAction=DeviceAction,\n DvcHostname=DeviceName,\n DvcProcessName=ProcessName,\n FileHashSha1=FileHash,\n UrlOriginal=RequestURL,\n NetworkDirection=CommunicationDirection\n| extend Command = iif(DeviceCustomString3Label == \"Command\", DeviceCustomString3, \"\")\n| extend ActionResult = iif(DeviceCustomString5Label == \"ActionResult\", DeviceCustomString5, \"\")\n| extend Event_Type = iif(DeviceCustomNumber2Label == \"Event_Type\", DeviceCustomNumber2, long(null))\n| extend VirusName = iif(DeviceCustomString1Label == \"VirusName\", DeviceCustomString1, \"\")\n| extend Policy = iif(DeviceCustomString2Label == \"Policy\", DeviceCustomString2, \"\")\n| extend ProcessCommandLine = iif(DeviceCustomString4Label == \"ProcessCommandLine\", DeviceCustomString4, \"\")\n| project-away DeviceCustomNumber1Label,\n DeviceCustomNumber1,\n DeviceCustomNumber2Label,\n DeviceCustomNumber2,\n DeviceCustomString1Label,\n DeviceCustomString1,\n DeviceCustomString2Label,\n DeviceCustomString2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n DeviceCustomDate1Label,\n DeviceCustomDate1,\n DeviceCustomDate2Label,\n DeviceCustomDate2\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "dependsOn": [ + "[variables('_parserId1')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", + "source": { + "name": "Trend Micro Apex One", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_parserContentId1')]", + "contentKind": "Parser", + "displayName": "Trend Micro Apex One Data Parser", + "contentProductId": "[variables('_parsercontentProductId1')]", + "id": "[variables('_parsercontentProductId1')]", + "version": "[variables('parserVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('_parserName1')]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Trend Micro Apex One Data Parser", + "category": "Microsoft Sentinel Parser", + "functionAlias": "TMApexOneEvent", + "query": "CommonSecurityLog\n| where DeviceVendor == \"Trend Micro\"\n| where DeviceProduct == \"Apex Central\"\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack (DeviceCustomNumber1Label, DeviceCustomNumber1,\n DeviceCustomNumber2Label, DeviceCustomNumber2,\n DeviceCustomString1Label, DeviceCustomString1,\n DeviceCustomString2Label, DeviceCustomString2,\n DeviceCustomString3Label, DeviceCustomString3,\n DeviceCustomString4Label, DeviceCustomString4,\n DeviceCustomString5Label, DeviceCustomString5,\n DeviceCustomString6Label, DeviceCustomString6,\n DeviceCustomDate1Label, DeviceCustomDate1,\n DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| project-rename EventVendor=DeviceVendor,\n EventProduct=DeviceProduct,\n EventProductVersion=DeviceVersion,\n EventSubType=DeviceEventClassID,\n EventMessage=Activity,\n EventSeverity=LogSeverity,\n EventOriginalUid=DeviceExternalID,\n EventEndTime=ReceiptTime,\n DstDvcHostname=DestinationHostName,\n DstIpAddr=DestinationIP,\n DstUserName=DestinationUserName,\n DstPortNumber=DestinationPort,\n DstServiceName=DestinationServiceName,\n SrcPortNumber=SourcePort,\n SrcIpAddr=SourceIP,\n SrcDvcHostname=SourceHostName,\n SrcServiceName=SourceServiceName,\n SrcUserName=SourceUserName,\n SrcProcessName=SourceProcessName,\n SrcMacAddr=SourceMACAddress,\n DvcAction=DeviceAction,\n DvcHostname=DeviceName,\n DvcProcessName=ProcessName,\n FileHashSha1=FileHash,\n UrlOriginal=RequestURL,\n NetworkDirection=CommunicationDirection\n| extend Command = iif(DeviceCustomString3Label == \"Command\", DeviceCustomString3, \"\")\n| extend ActionResult = iif(DeviceCustomString5Label == \"ActionResult\", DeviceCustomString5, \"\")\n| extend Event_Type = iif(DeviceCustomNumber2Label == \"Event_Type\", DeviceCustomNumber2, long(null))\n| extend VirusName = iif(DeviceCustomString1Label == \"VirusName\", DeviceCustomString1, \"\")\n| extend Policy = iif(DeviceCustomString2Label == \"Policy\", DeviceCustomString2, \"\")\n| extend ProcessCommandLine = iif(DeviceCustomString4Label == \"ProcessCommandLine\", DeviceCustomString4, \"\")\n| project-away DeviceCustomNumber1Label,\n DeviceCustomNumber1,\n DeviceCustomNumber2Label,\n DeviceCustomNumber2,\n DeviceCustomString1Label,\n DeviceCustomString1,\n DeviceCustomString2Label,\n DeviceCustomString2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n DeviceCustomDate1Label,\n DeviceCustomDate1,\n DeviceCustomDate2Label,\n DeviceCustomDate2\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "dependsOn": [ + "[variables('_parserId1')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", + "source": { + "kind": "Solution", + "name": "Trend Micro Apex One", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -895,7 +1036,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **TMApexOneEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-TMApexOneEvent-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where isnotempty(DstDvcHostname)\\r\\n| summarize dcount(DstDvcHostname)\",\"size\":3,\"title\":\"Devices\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\n| where isnotempty(SrcUserName)\\n| summarize dcount(SrcUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\n| where isnotempty(SrcProcessName)\\n| summarize dcount(SrcProcessName)\",\"size\":3,\"title\":\"Processes\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where EventMessage has \\\"Endpoint Application Control\\\"\\r\\n | where DvcAction has \\\"blocked\\\"\\r\\n | count\",\"size\":3,\"title\":\"Blocked applications\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"customWidth\":\"30\",\"name\":\"group - 15\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | extend EventType = case(\\r\\n EventMessage == \\\"7\\\", \\\"Web Security\\\", \\r\\n EventMessage == \\\"virusa\\\", \\\"Predictive Machine Learning\\\",\\r\\n EventMessage == \\\"Attack Discovery Detections\\\", \\\"Attack Discovery Detection\\\", \\r\\n EventMessage == \\\"Behavior Monitoring\\\", \\\"Behavior Monitoring\\\",\\r\\n EventMessage == \\\"CnC Callback\\\", \\\"C&C Callback\\\", \\r\\n EventMessage == \\\"This is a policy name\\\", \\\"Policy name\\\",\\r\\n EventMessage == \\\"Data Loss Prevention\\\", \\\"Data Loss Prevention\\\", \\r\\n EventMessage == \\\"Device Access Control\\\", \\\"Device Access Control\\\",\\r\\n EventMessage == \\\"Endpoint Application Control Violation Information\\\", \\\"Endpoint Application Control\\\", \\r\\n EventMessage == \\\"Engine Update Status\\\", \\\"Engine Update Status\\\",\\r\\n EventMessage == \\\"Managed Product Logon/Logoff Events\\\", \\\"Managed Product Logon/Logoff Events\\\", \\r\\n EventMessage == \\\"Suspicious Connection\\\", \\\"Suspicious Connection\\\",\\r\\n EventMessage == \\\"Pattern Update Status\\\", \\\"Pattern Update Status\\\", \\r\\n EventMessage == \\\"VAN_RANSOMWARE.umxxhelloransom_abc\\\", \\\"Sandbox Detection\\\",\\r\\n EventMessage == \\\"Spyware Detected\\\", \\\"Spyware Detected\\\", \\r\\n EventMessage == \\\"JS_EXPLOIT.SMDN\\\", \\\"Virus/Malware Detected\\\",\\r\\n EventMessage == \\\"Suspicious Files\\\", \\\"Suspicious Files\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize count() by EventType\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where isnotempty(ApplicationProtocol)\\r\\n | extend AppProtocol = case(\\r\\n ApplicationProtocol == \\\"0\\\", \\\"Unknown\\\", \\r\\n ApplicationProtocol == \\\"1\\\", \\\"SMTP\\\",\\r\\n ApplicationProtocol == \\\"2\\\", \\\"POP3\\\",\\r\\n ApplicationProtocol == \\\"3\\\", \\\"IRC\\\", \\r\\n ApplicationProtocol == \\\"4\\\", \\\"DNS Response\\\",\\r\\n ApplicationProtocol == \\\"5\\\", \\\"HTTP\\\",\\r\\n ApplicationProtocol == \\\"6\\\", \\\"FTP\\\", \\r\\n ApplicationProtocol == \\\"7\\\", \\\"TFTP\\\",\\r\\n ApplicationProtocol == \\\"8\\\", \\\"SMB\\\",\\r\\n ApplicationProtocol == \\\"9\\\", \\\"Windows Live Messenger (MSN)\\\", \\r\\n ApplicationProtocol == \\\"10\\\", \\\"AIM\\\",\\r\\n ApplicationProtocol == \\\"11\\\", \\\"Yahoo! Messenger\\\",\\r\\n ApplicationProtocol == \\\"12\\\", \\\"Gmail\\\",\\r\\n ApplicationProtocol == \\\"13\\\", \\\"Yahoo! Mail\\\", \\r\\n ApplicationProtocol == \\\"14\\\", \\\"Windows Live Hotmail\\\",\\r\\n ApplicationProtocol == \\\"15\\\", \\\"RDP\\\",\\r\\n ApplicationProtocol == \\\"16\\\", \\\"DHCP\\\",\\r\\n ApplicationProtocol == \\\"17\\\", \\\"Telnet\\\", \\r\\n ApplicationProtocol == \\\"18\\\", \\\"LDAP\\\",\\r\\n ApplicationProtocol == \\\"19\\\", \\\"File transfer\\\",\\r\\n ApplicationProtocol == \\\"20\\\", \\\"SSH\\\",\\r\\n ApplicationProtocol == \\\"21\\\", \\\"Dameware\\\", \\r\\n ApplicationProtocol == \\\"22\\\", \\\"VNC\\\",\\r\\n ApplicationProtocol == \\\"23\\\", \\\"Cisco Telnet\\\",\\r\\n ApplicationProtocol == \\\"24\\\", \\\"Kerberos\\\", \\r\\n ApplicationProtocol == \\\"25\\\", \\\"DCE RPC\\\",\\r\\n ApplicationProtocol == \\\"26\\\", \\\"SQL\\\",\\r\\n ApplicationProtocol == \\\"27\\\", \\\"pcAnywhere\\\", \\r\\n ApplicationProtocol == \\\"28\\\", \\\"ICMP\\\",\\r\\n ApplicationProtocol == \\\"29\\\", \\\"SNMP\\\",\\r\\n ApplicationProtocol == \\\"30\\\", \\\"Virus pattern TCP\\\", \\r\\n ApplicationProtocol == \\\"31\\\", \\\"Virus pattern UDP\\\",\\r\\n ApplicationProtocol == \\\"32\\\", \\\"HTTPS\\\",\\r\\n ApplicationProtocol == \\\"33\\\", \\\"SMB2\\\",\\r\\n ApplicationProtocol == \\\"34\\\", \\\"MMS\\\", \\r\\n ApplicationProtocol == \\\"35\\\", \\\"IMAP4\\\",\\r\\n ApplicationProtocol == \\\"36\\\", \\\"RADIUS\\\",\\r\\n ApplicationProtocol == \\\"37\\\", \\\"Radmin\\\",\\r\\n ApplicationProtocol == \\\"38\\\", \\\"FTP_Response\\\", \\r\\n ApplicationProtocol == \\\"48\\\", \\\"RTSP/RTP-UDP\\\",\\r\\n ApplicationProtocol == \\\"49\\\", \\\"RTSP/RTP-TCP\\\",\\r\\n ApplicationProtocol == \\\"50\\\", \\\"RTSP/RDT-UDP\\\",\\r\\n ApplicationProtocol == \\\"51\\\", \\\"RTSP/RDT-TCP\\\",\\r\\n ApplicationProtocol == \\\"52\\\", \\\"WMSP\\\",\\r\\n ApplicationProtocol == \\\"53\\\", \\\"SHOUTCast\\\", \\r\\n ApplicationProtocol == \\\"54\\\", \\\"RTMP\\\",\\r\\n ApplicationProtocol == \\\"68\\\", \\\"DNS Request\\\",\\r\\n ApplicationProtocol == \\\"256\\\", \\\"BitTorrent\\\", \\r\\n ApplicationProtocol == \\\"257\\\", \\\"Kazaa\\\",\\r\\n ApplicationProtocol == \\\"258\\\", \\\"Limewire\\\",\\r\\n ApplicationProtocol == \\\"259\\\", \\\"Bearshare\\\", \\r\\n ApplicationProtocol == \\\"260\\\", \\\"Bluester\\\",\\r\\n ApplicationProtocol == \\\"261\\\", \\\"Edonkey emule\\\",\\r\\n ApplicationProtocol == \\\"262\\\", \\\"Edonkey2000\\\",\\r\\n ApplicationProtocol == \\\"263\\\", \\\"Filezilla\\\", \\r\\n ApplicationProtocol == \\\"264\\\", \\\"Guncleus\\\",\\r\\n ApplicationProtocol == \\\"265\\\", \\\"Gnutella\\\",\\r\\n ApplicationProtocol == \\\"266\\\", \\\"Winny\\\",\\r\\n ApplicationProtocol == \\\"267\\\", \\\"Napster\\\", \\r\\n ApplicationProtocol == \\\"268\\\", \\\"Morpheus\\\",\\r\\n ApplicationProtocol == \\\"269\\\", \\\"Napster\\\",\\r\\n ApplicationProtocol == \\\"270\\\", \\\"Shareaza\\\",\\r\\n ApplicationProtocol == \\\"271\\\", \\\"WinMX\\\", \\r\\n ApplicationProtocol == \\\"272\\\", \\\"Mldonkey\\\",\\r\\n ApplicationProtocol == \\\"273\\\", \\\"Direct Connect\\\",\\r\\n ApplicationProtocol == \\\"274\\\", \\\"Soulseek\\\", \\r\\n ApplicationProtocol == \\\"275\\\", \\\"OpenAP\\\",\\r\\n ApplicationProtocol == \\\"276\\\", \\\"Kuro\\\",\\r\\n ApplicationProtocol == \\\"277\\\", \\\"Imesh\\\", \\r\\n ApplicationProtocol == \\\"278\\\", \\\"Skype\\\",\\r\\n ApplicationProtocol == \\\"279\\\", \\\"Google Talk\\\",\\r\\n ApplicationProtocol == \\\"317\\\", \\\"Cabos\\\", \\r\\n ApplicationProtocol == \\\"318\\\", \\\"Zultrax\\\",\\r\\n ApplicationProtocol == \\\"319\\\", \\\"Foxy\\\",\\r\\n ApplicationProtocol == \\\"320\\\", \\\"eDonkey\\\",\\r\\n ApplicationProtocol == \\\"321\\\", \\\"Ares\\\", \\r\\n ApplicationProtocol == \\\"322\\\", \\\"Miranda\\\",\\r\\n ApplicationProtocol == \\\"323\\\", \\\"Kceasy\\\",\\r\\n ApplicationProtocol == \\\"324\\\", \\\"MoodAmp\\\",\\r\\n ApplicationProtocol == \\\"325\\\", \\\"Deepnet Explorer\\\", \\r\\n ApplicationProtocol == \\\"326\\\", \\\"FreeWire\\\",\\r\\n ApplicationProtocol == \\\"327\\\", \\\"Gimme\\\",\\r\\n ApplicationProtocol == \\\"328\\\", \\\"GnucDNA GWebCache\\\",\\r\\n ApplicationProtocol == \\\"329\\\", \\\"Jubster\\\",\\r\\n ApplicationProtocol == \\\"330\\\", \\\"MyNapster\\\", \\r\\n ApplicationProtocol == \\\"331\\\", \\\"Nova GWebCache\\\",\\r\\n ApplicationProtocol == \\\"332\\\", \\\"Swapper GWebCache\\\",\\r\\n ApplicationProtocol == \\\"333\\\", \\\"Xnap\\\",\\r\\n ApplicationProtocol == \\\"334\\\", \\\"Xolox\\\", \\r\\n ApplicationProtocol == \\\"335\\\", \\\"Ppstream\\\",\\r\\n ApplicationProtocol == \\\"640\\\", \\\"AIM Express\\\",\\r\\n ApplicationProtocol == \\\"641\\\", \\\"Chikka SMS Messenger\\\",\\r\\n ApplicationProtocol == \\\"642\\\", \\\"eBuddy\\\", \\r\\n ApplicationProtocol == \\\"643\\\", \\\"ICQ2Go\\\",\\r\\n ApplicationProtocol == \\\"644\\\", \\\"ILoveIM Web Messenger\\\",\\r\\n ApplicationProtocol == \\\"645\\\", \\\"IMUnitive\\\",\\r\\n ApplicationProtocol == \\\"646\\\", \\\"Mabber\\\",\\r\\n ApplicationProtocol == \\\"647\\\", \\\"Meebo\\\",\\r\\n ApplicationProtocol == \\\"648\\\", \\\"Yahoo! Web Messenger\\\", \\r\\n ApplicationProtocol == \\\"848\\\", \\\"SIP2\\\",\\r\\n ApplicationProtocol == \\\"1024\\\", \\\"GPass\\\",\\r\\n ApplicationProtocol == \\\"10001\\\", \\\"IP\\\",\\r\\n ApplicationProtocol == \\\"10002\\\", \\\"ARP\\\",\\r\\n ApplicationProtocol == \\\"10003\\\", \\\"TCP\\\", \\r\\n ApplicationProtocol == \\\"10004\\\", \\\"UDP\\\",\\r\\n ApplicationProtocol == \\\"10005\\\", \\\"IGMP\\\",\\r\\n ApplicationProtocol == \\\"60\\\", \\\"ORACLE\\\", \\r\\n ApplicationProtocol == \\\"44\\\", \\\"MySQL\\\",\\r\\n ApplicationProtocol == \\\"520\\\", \\\"MSSQL\\\",\\r\\n ApplicationProtocol == \\\"337\\\", \\\"Postgres\\\", \\r\\n ApplicationProtocol == \\\"41\\\", \\\"ICMPv6\\\",\\r\\n ApplicationProtocol == \\\"10006\\\", \\\"GGP\\\",\\r\\n ApplicationProtocol == \\\"10007\\\", \\\"PUP\\\",\\r\\n ApplicationProtocol == \\\"10008\\\", \\\"IDP\\\", \\r\\n ApplicationProtocol == \\\"10009\\\", \\\"ND\\\",\\r\\n ApplicationProtocol == \\\"10010\\\", \\\"RAW\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize ProtocolCount = count() by AppProtocol\",\"size\":3,\"title\":\"Network protocols\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"45\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where EventMessage has \\\"CnC Callback\\\" \\r\\n| project EventEndTime, SrcIpAddr, DstIpAddr\\r\\n\",\"size\":0,\"title\":\"CnC connections\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 15\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where EventMessage has \\\"Endpoint Application Control\\\"\\r\\n| where DvcAction has \\\"Blocked\\\"\\r\\n| project EventEndTime, Application = FileName, SrcUserName\\r\\n\",\"size\":0,\"title\":\"Blocked applications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 13\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where isnotempty(FileName)\\r\\n | extend File = strcat(FilePath, FileName)\\r\\n | summarize count() by File\\r\\n | sort by count_ desc \",\"size\":0,\"title\":\"Suspicious files\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| sort by TimeGenerated desc \\r\\n| where EventMessage !in~ (\\\"Engine Update Statusd\\\", \\\"Pattern Update Status\\\")\\r\\n| project EventEndTime, Module=EventMessage, FileName \",\"size\":0,\"title\":\"Latest detections\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"55\",\"name\":\"query - 11\",\"styleSettings\":{\"maxWidth\":\"80\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where EventMessage has \\\"Data Loss Prevention\\\"\\r\\n | extend DeviceCustomNumber3 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber3\\\", long(null)),DeviceCustomNumber3)\\r\\n | where isnotempty(DeviceCustomNumber3)\\r\\n | extend Channel_Type = case(\\r\\n DeviceCustomNumber3 == \\\"65535\\\", \\\"Not available\\\",\\r\\n DeviceCustomNumber3 == \\\"0\\\", \\\"Removable storage\\\", \\r\\n DeviceCustomNumber3 == \\\"1\\\", \\\"SMB\\\",\\r\\n DeviceCustomNumber3 == \\\"2\\\", \\\"Email\\\",\\r\\n DeviceCustomNumber3 == \\\"3\\\", \\\"IM\\\", \\r\\n DeviceCustomNumber3 == \\\"4\\\", \\\"FTP\\\",\\r\\n DeviceCustomNumber3 == \\\"5\\\", \\\"HTTP\\\",\\r\\n DeviceCustomNumber3 == \\\"6\\\", \\\"HTTPS\\\", \\r\\n DeviceCustomNumber3 == \\\"7\\\", \\\"PGP\\\",\\r\\n DeviceCustomNumber3 == \\\"8\\\", \\\"Data recorders\\\",\\r\\n DeviceCustomNumber3 == \\\"9\\\", \\\"Printer\\\", \\r\\n DeviceCustomNumber3 == \\\"10\\\", \\\"Clipboard\\\",\\r\\n DeviceCustomNumber3 == \\\"11\\\", \\\"Sync\\\",\\r\\n DeviceCustomNumber3 == \\\"12\\\", \\\"P2P\\\",\\r\\n DeviceCustomNumber3 == \\\"13\\\", \\\"Webmail\\\", \\r\\n DeviceCustomNumber3 == \\\"14\\\", \\\"Document management\\\",\\r\\n DeviceCustomNumber3 == \\\"15\\\", \\\"Cloud storage\\\",\\r\\n DeviceCustomNumber3 == \\\"121\\\", \\\"SMTP email\\\",\\r\\n DeviceCustomNumber3 == \\\"122\\\", \\\"Exchange Client Mail\\\", \\r\\n DeviceCustomNumber3 == \\\"123\\\", \\\"Lotus Note Email\\\",\\r\\n DeviceCustomNumber3 == \\\"130\\\", \\\"Webmail (Yahoo! Mail)\\\",\\r\\n DeviceCustomNumber3 == \\\"131\\\", \\\"Webmail (Hotmail)\\\",\\r\\n DeviceCustomNumber3 == \\\"132\\\", \\\"Webmail (Gmail)\\\",\\r\\n DeviceCustomNumber3 == \\\"133\\\", \\\"Webmail (AOL Mail)\\\",\\r\\n DeviceCustomNumber3 == \\\"140\\\", \\\"IM (MSN)\\\",\\r\\n DeviceCustomNumber3 == \\\"141\\\", \\\"IM (AIM)\\\",\\r\\n DeviceCustomNumber3 == \\\"142\\\", \\\"IM (Yahoo Messenger)\\\",\\r\\n DeviceCustomNumber3 == \\\"143\\\", \\\"IM (Skype)\\\",\\r\\n DeviceCustomNumber3 == \\\"191\\\", \\\"P2P (BitTorrent)\\\",\\r\\n DeviceCustomNumber3 == \\\"192\\\", \\\"P2P (EMule)\\\",\\r\\n DeviceCustomNumber3 == \\\"193\\\", \\\"P2P (Winny)\\\",\\r\\n DeviceCustomNumber3 == \\\"194\\\", \\\"P2P (HTCSYN)\\\",\\r\\n DeviceCustomNumber3 == \\\"195\\\", \\\"P2P (iTunes)\\\",\\r\\n DeviceCustomNumber3 == \\\"196\\\", \\\"Cloud storage (DropBox)\\\",\\r\\n DeviceCustomNumber3 == \\\"197\\\", \\\"Cloud storage (Box)\\\",\\r\\n DeviceCustomNumber3 == \\\"198\\\", \\\"Cloud storage (Google Drive)\\\",\\r\\n DeviceCustomNumber3 == \\\"199\\\", \\\"Cloud storage (OneDrive)\\\",\\r\\n DeviceCustomNumber3 == \\\"200\\\", \\\"Cloud storage (SugarSync)\\\",\\r\\n DeviceCustomNumber3 == \\\"201\\\", \\\"Cloud storage (Hightail)\\\",\\r\\n DeviceCustomNumber3 == \\\"202\\\", \\\"IM (QQ)\\\",\\r\\n DeviceCustomNumber3 == \\\"203\\\", \\\"Webmail (other)\\\",\\r\\n DeviceCustomNumber3 == \\\"204\\\", \\\"Cloud storage (Evernote)\\\",\\r\\n DeviceCustomNumber3 == \\\"211\\\", \\\"Document management (SharePoint)\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize ChannelType = count() by Channel_Type\",\"size\":3,\"title\":\"Channel types\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"name\":\"query - 9\"}],\"fromTemplateId\":\"sentinel-TrendMicroApexOneWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **TMApexOneEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-TMApexOneEvent-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where isnotempty(DstDvcHostname)\\r\\n| summarize dcount(DstDvcHostname)\",\"size\":3,\"title\":\"Devices\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\n| where isnotempty(SrcUserName)\\n| summarize dcount(SrcUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\n| where isnotempty(SrcProcessName)\\n| summarize dcount(SrcProcessName)\",\"size\":3,\"title\":\"Processes\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where EventMessage has \\\"Endpoint Application Control\\\"\\r\\n | where DvcAction has \\\"blocked\\\"\\r\\n | count\",\"size\":3,\"title\":\"Blocked applications\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"}]},\"customWidth\":\"30\",\"name\":\"group - 15\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | extend EventType = case(\\r\\n EventMessage == \\\"7\\\", \\\"Web Security\\\", \\r\\n EventMessage == \\\"virusa\\\", \\\"Predictive Machine Learning\\\",\\r\\n EventMessage == \\\"Attack Discovery Detections\\\", \\\"Attack Discovery Detection\\\", \\r\\n EventMessage == \\\"Behavior Monitoring\\\", \\\"Behavior Monitoring\\\",\\r\\n EventMessage == \\\"CnC Callback\\\", \\\"C&C Callback\\\", \\r\\n EventMessage == \\\"This is a policy name\\\", \\\"Policy name\\\",\\r\\n EventMessage == \\\"Data Loss Prevention\\\", \\\"Data Loss Prevention\\\", \\r\\n EventMessage == \\\"Device Access Control\\\", \\\"Device Access Control\\\",\\r\\n EventMessage == \\\"Endpoint Application Control Violation Information\\\", \\\"Endpoint Application Control\\\", \\r\\n EventMessage == \\\"Engine Update Status\\\", \\\"Engine Update Status\\\",\\r\\n EventMessage == \\\"Managed Product Logon/Logoff Events\\\", \\\"Managed Product Logon/Logoff Events\\\", \\r\\n EventMessage == \\\"Suspicious Connection\\\", \\\"Suspicious Connection\\\",\\r\\n EventMessage == \\\"Pattern Update Status\\\", \\\"Pattern Update Status\\\", \\r\\n EventMessage == \\\"VAN_RANSOMWARE.umxxhelloransom_abc\\\", \\\"Sandbox Detection\\\",\\r\\n EventMessage == \\\"Spyware Detected\\\", \\\"Spyware Detected\\\", \\r\\n EventMessage == \\\"JS_EXPLOIT.SMDN\\\", \\\"Virus/Malware Detected\\\",\\r\\n EventMessage == \\\"Suspicious Files\\\", \\\"Suspicious Files\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize count() by EventType\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"EventType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where isnotempty(ApplicationProtocol)\\r\\n | extend AppProtocol = case(\\r\\n ApplicationProtocol == \\\"0\\\", \\\"Unknown\\\", \\r\\n ApplicationProtocol == \\\"1\\\", \\\"SMTP\\\",\\r\\n ApplicationProtocol == \\\"2\\\", \\\"POP3\\\",\\r\\n ApplicationProtocol == \\\"3\\\", \\\"IRC\\\", \\r\\n ApplicationProtocol == \\\"4\\\", \\\"DNS Response\\\",\\r\\n ApplicationProtocol == \\\"5\\\", \\\"HTTP\\\",\\r\\n ApplicationProtocol == \\\"6\\\", \\\"FTP\\\", \\r\\n ApplicationProtocol == \\\"7\\\", \\\"TFTP\\\",\\r\\n ApplicationProtocol == \\\"8\\\", \\\"SMB\\\",\\r\\n ApplicationProtocol == \\\"9\\\", \\\"Windows Live Messenger (MSN)\\\", \\r\\n ApplicationProtocol == \\\"10\\\", \\\"AIM\\\",\\r\\n ApplicationProtocol == \\\"11\\\", \\\"Yahoo! Messenger\\\",\\r\\n ApplicationProtocol == \\\"12\\\", \\\"Gmail\\\",\\r\\n ApplicationProtocol == \\\"13\\\", \\\"Yahoo! Mail\\\", \\r\\n ApplicationProtocol == \\\"14\\\", \\\"Windows Live Hotmail\\\",\\r\\n ApplicationProtocol == \\\"15\\\", \\\"RDP\\\",\\r\\n ApplicationProtocol == \\\"16\\\", \\\"DHCP\\\",\\r\\n ApplicationProtocol == \\\"17\\\", \\\"Telnet\\\", \\r\\n ApplicationProtocol == \\\"18\\\", \\\"LDAP\\\",\\r\\n ApplicationProtocol == \\\"19\\\", \\\"File transfer\\\",\\r\\n ApplicationProtocol == \\\"20\\\", \\\"SSH\\\",\\r\\n ApplicationProtocol == \\\"21\\\", \\\"Dameware\\\", \\r\\n ApplicationProtocol == \\\"22\\\", \\\"VNC\\\",\\r\\n ApplicationProtocol == \\\"23\\\", \\\"Cisco Telnet\\\",\\r\\n ApplicationProtocol == \\\"24\\\", \\\"Kerberos\\\", \\r\\n ApplicationProtocol == \\\"25\\\", \\\"DCE RPC\\\",\\r\\n ApplicationProtocol == \\\"26\\\", \\\"SQL\\\",\\r\\n ApplicationProtocol == \\\"27\\\", \\\"pcAnywhere\\\", \\r\\n ApplicationProtocol == \\\"28\\\", \\\"ICMP\\\",\\r\\n ApplicationProtocol == \\\"29\\\", \\\"SNMP\\\",\\r\\n ApplicationProtocol == \\\"30\\\", \\\"Virus pattern TCP\\\", \\r\\n ApplicationProtocol == \\\"31\\\", \\\"Virus pattern UDP\\\",\\r\\n ApplicationProtocol == \\\"32\\\", \\\"HTTPS\\\",\\r\\n ApplicationProtocol == \\\"33\\\", \\\"SMB2\\\",\\r\\n ApplicationProtocol == \\\"34\\\", \\\"MMS\\\", \\r\\n ApplicationProtocol == \\\"35\\\", \\\"IMAP4\\\",\\r\\n ApplicationProtocol == \\\"36\\\", \\\"RADIUS\\\",\\r\\n ApplicationProtocol == \\\"37\\\", \\\"Radmin\\\",\\r\\n ApplicationProtocol == \\\"38\\\", \\\"FTP_Response\\\", \\r\\n ApplicationProtocol == \\\"48\\\", \\\"RTSP/RTP-UDP\\\",\\r\\n ApplicationProtocol == \\\"49\\\", \\\"RTSP/RTP-TCP\\\",\\r\\n ApplicationProtocol == \\\"50\\\", \\\"RTSP/RDT-UDP\\\",\\r\\n ApplicationProtocol == \\\"51\\\", \\\"RTSP/RDT-TCP\\\",\\r\\n ApplicationProtocol == \\\"52\\\", \\\"WMSP\\\",\\r\\n ApplicationProtocol == \\\"53\\\", \\\"SHOUTCast\\\", \\r\\n ApplicationProtocol == \\\"54\\\", \\\"RTMP\\\",\\r\\n ApplicationProtocol == \\\"68\\\", \\\"DNS Request\\\",\\r\\n ApplicationProtocol == \\\"256\\\", \\\"BitTorrent\\\", \\r\\n ApplicationProtocol == \\\"257\\\", \\\"Kazaa\\\",\\r\\n ApplicationProtocol == \\\"258\\\", \\\"Limewire\\\",\\r\\n ApplicationProtocol == \\\"259\\\", \\\"Bearshare\\\", \\r\\n ApplicationProtocol == \\\"260\\\", \\\"Bluester\\\",\\r\\n ApplicationProtocol == \\\"261\\\", \\\"Edonkey emule\\\",\\r\\n ApplicationProtocol == \\\"262\\\", \\\"Edonkey2000\\\",\\r\\n ApplicationProtocol == \\\"263\\\", \\\"Filezilla\\\", \\r\\n ApplicationProtocol == \\\"264\\\", \\\"Guncleus\\\",\\r\\n ApplicationProtocol == \\\"265\\\", \\\"Gnutella\\\",\\r\\n ApplicationProtocol == \\\"266\\\", \\\"Winny\\\",\\r\\n ApplicationProtocol == \\\"267\\\", \\\"Napster\\\", \\r\\n ApplicationProtocol == \\\"268\\\", \\\"Morpheus\\\",\\r\\n ApplicationProtocol == \\\"269\\\", \\\"Napster\\\",\\r\\n ApplicationProtocol == \\\"270\\\", \\\"Shareaza\\\",\\r\\n ApplicationProtocol == \\\"271\\\", \\\"WinMX\\\", \\r\\n ApplicationProtocol == \\\"272\\\", \\\"Mldonkey\\\",\\r\\n ApplicationProtocol == \\\"273\\\", \\\"Direct Connect\\\",\\r\\n ApplicationProtocol == \\\"274\\\", \\\"Soulseek\\\", \\r\\n ApplicationProtocol == \\\"275\\\", \\\"OpenAP\\\",\\r\\n ApplicationProtocol == \\\"276\\\", \\\"Kuro\\\",\\r\\n ApplicationProtocol == \\\"277\\\", \\\"Imesh\\\", \\r\\n ApplicationProtocol == \\\"278\\\", \\\"Skype\\\",\\r\\n ApplicationProtocol == \\\"279\\\", \\\"Google Talk\\\",\\r\\n ApplicationProtocol == \\\"317\\\", \\\"Cabos\\\", \\r\\n ApplicationProtocol == \\\"318\\\", \\\"Zultrax\\\",\\r\\n ApplicationProtocol == \\\"319\\\", \\\"Foxy\\\",\\r\\n ApplicationProtocol == \\\"320\\\", \\\"eDonkey\\\",\\r\\n ApplicationProtocol == \\\"321\\\", \\\"Ares\\\", \\r\\n ApplicationProtocol == \\\"322\\\", \\\"Miranda\\\",\\r\\n ApplicationProtocol == \\\"323\\\", \\\"Kceasy\\\",\\r\\n ApplicationProtocol == \\\"324\\\", \\\"MoodAmp\\\",\\r\\n ApplicationProtocol == \\\"325\\\", \\\"Deepnet Explorer\\\", \\r\\n ApplicationProtocol == \\\"326\\\", \\\"FreeWire\\\",\\r\\n ApplicationProtocol == \\\"327\\\", \\\"Gimme\\\",\\r\\n ApplicationProtocol == \\\"328\\\", \\\"GnucDNA GWebCache\\\",\\r\\n ApplicationProtocol == \\\"329\\\", \\\"Jubster\\\",\\r\\n ApplicationProtocol == \\\"330\\\", \\\"MyNapster\\\", \\r\\n ApplicationProtocol == \\\"331\\\", \\\"Nova GWebCache\\\",\\r\\n ApplicationProtocol == \\\"332\\\", \\\"Swapper GWebCache\\\",\\r\\n ApplicationProtocol == \\\"333\\\", \\\"Xnap\\\",\\r\\n ApplicationProtocol == \\\"334\\\", \\\"Xolox\\\", \\r\\n ApplicationProtocol == \\\"335\\\", \\\"Ppstream\\\",\\r\\n ApplicationProtocol == \\\"640\\\", \\\"AIM Express\\\",\\r\\n ApplicationProtocol == \\\"641\\\", \\\"Chikka SMS Messenger\\\",\\r\\n ApplicationProtocol == \\\"642\\\", \\\"eBuddy\\\", \\r\\n ApplicationProtocol == \\\"643\\\", \\\"ICQ2Go\\\",\\r\\n ApplicationProtocol == \\\"644\\\", \\\"ILoveIM Web Messenger\\\",\\r\\n ApplicationProtocol == \\\"645\\\", \\\"IMUnitive\\\",\\r\\n ApplicationProtocol == \\\"646\\\", \\\"Mabber\\\",\\r\\n ApplicationProtocol == \\\"647\\\", \\\"Meebo\\\",\\r\\n ApplicationProtocol == \\\"648\\\", \\\"Yahoo! Web Messenger\\\", \\r\\n ApplicationProtocol == \\\"848\\\", \\\"SIP2\\\",\\r\\n ApplicationProtocol == \\\"1024\\\", \\\"GPass\\\",\\r\\n ApplicationProtocol == \\\"10001\\\", \\\"IP\\\",\\r\\n ApplicationProtocol == \\\"10002\\\", \\\"ARP\\\",\\r\\n ApplicationProtocol == \\\"10003\\\", \\\"TCP\\\", \\r\\n ApplicationProtocol == \\\"10004\\\", \\\"UDP\\\",\\r\\n ApplicationProtocol == \\\"10005\\\", \\\"IGMP\\\",\\r\\n ApplicationProtocol == \\\"60\\\", \\\"ORACLE\\\", \\r\\n ApplicationProtocol == \\\"44\\\", \\\"MySQL\\\",\\r\\n ApplicationProtocol == \\\"520\\\", \\\"MSSQL\\\",\\r\\n ApplicationProtocol == \\\"337\\\", \\\"Postgres\\\", \\r\\n ApplicationProtocol == \\\"41\\\", \\\"ICMPv6\\\",\\r\\n ApplicationProtocol == \\\"10006\\\", \\\"GGP\\\",\\r\\n ApplicationProtocol == \\\"10007\\\", \\\"PUP\\\",\\r\\n ApplicationProtocol == \\\"10008\\\", \\\"IDP\\\", \\r\\n ApplicationProtocol == \\\"10009\\\", \\\"ND\\\",\\r\\n ApplicationProtocol == \\\"10010\\\", \\\"RAW\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize ProtocolCount = count() by AppProtocol\",\"size\":3,\"title\":\"Network protocols\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"45\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where EventMessage has \\\"CnC Callback\\\" \\r\\n| project EventEndTime, SrcIpAddr, DstIpAddr\\r\\n\",\"size\":0,\"title\":\"CnC connections\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 15\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| where EventMessage has \\\"Endpoint Application Control\\\"\\r\\n| where DvcAction has \\\"Blocked\\\"\\r\\n| project EventEndTime, Application = FileName, SrcUserName\\r\\n\",\"size\":0,\"title\":\"Blocked applications\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 13\",\"styleSettings\":{\"maxWidth\":\"35\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where isnotempty(FileName)\\r\\n | extend File = strcat(FilePath, FileName)\\r\\n | summarize count() by File\\r\\n | sort by count_ desc \",\"size\":0,\"title\":\"Suspicious files\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"TMApexOneEvent\\r\\n| sort by TimeGenerated desc \\r\\n| where EventMessage !in~ (\\\"Engine Update Statusd\\\", \\\"Pattern Update Status\\\")\\r\\n| project EventEndTime, Module=EventMessage, FileName \",\"size\":0,\"title\":\"Latest detections\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"55\",\"name\":\"query - 11\",\"styleSettings\":{\"maxWidth\":\"80\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" TMApexOneEvent\\r\\n | where EventMessage has \\\"Data Loss Prevention\\\"\\r\\n | extend DeviceCustomNumber3 = coalesce(column_ifexists(\\\"FieldDeviceCustomNumber3\\\", long(null)),DeviceCustomNumber3)\\r\\n | where isnotempty(DeviceCustomNumber3)\\r\\n | extend Channel_Type = case(\\r\\n DeviceCustomNumber3 == \\\"65535\\\", \\\"Not available\\\",\\r\\n DeviceCustomNumber3 == \\\"0\\\", \\\"Removable storage\\\", \\r\\n DeviceCustomNumber3 == \\\"1\\\", \\\"SMB\\\",\\r\\n DeviceCustomNumber3 == \\\"2\\\", \\\"Email\\\",\\r\\n DeviceCustomNumber3 == \\\"3\\\", \\\"IM\\\", \\r\\n DeviceCustomNumber3 == \\\"4\\\", \\\"FTP\\\",\\r\\n DeviceCustomNumber3 == \\\"5\\\", \\\"HTTP\\\",\\r\\n DeviceCustomNumber3 == \\\"6\\\", \\\"HTTPS\\\", \\r\\n DeviceCustomNumber3 == \\\"7\\\", \\\"PGP\\\",\\r\\n DeviceCustomNumber3 == \\\"8\\\", \\\"Data recorders\\\",\\r\\n DeviceCustomNumber3 == \\\"9\\\", \\\"Printer\\\", \\r\\n DeviceCustomNumber3 == \\\"10\\\", \\\"Clipboard\\\",\\r\\n DeviceCustomNumber3 == \\\"11\\\", \\\"Sync\\\",\\r\\n DeviceCustomNumber3 == \\\"12\\\", \\\"P2P\\\",\\r\\n DeviceCustomNumber3 == \\\"13\\\", \\\"Webmail\\\", \\r\\n DeviceCustomNumber3 == \\\"14\\\", \\\"Document management\\\",\\r\\n DeviceCustomNumber3 == \\\"15\\\", \\\"Cloud storage\\\",\\r\\n DeviceCustomNumber3 == \\\"121\\\", \\\"SMTP email\\\",\\r\\n DeviceCustomNumber3 == \\\"122\\\", \\\"Exchange Client Mail\\\", \\r\\n DeviceCustomNumber3 == \\\"123\\\", \\\"Lotus Note Email\\\",\\r\\n DeviceCustomNumber3 == \\\"130\\\", \\\"Webmail (Yahoo! Mail)\\\",\\r\\n DeviceCustomNumber3 == \\\"131\\\", \\\"Webmail (Hotmail)\\\",\\r\\n DeviceCustomNumber3 == \\\"132\\\", \\\"Webmail (Gmail)\\\",\\r\\n DeviceCustomNumber3 == \\\"133\\\", \\\"Webmail (AOL Mail)\\\",\\r\\n DeviceCustomNumber3 == \\\"140\\\", \\\"IM (MSN)\\\",\\r\\n DeviceCustomNumber3 == \\\"141\\\", \\\"IM (AIM)\\\",\\r\\n DeviceCustomNumber3 == \\\"142\\\", \\\"IM (Yahoo Messenger)\\\",\\r\\n DeviceCustomNumber3 == \\\"143\\\", \\\"IM (Skype)\\\",\\r\\n DeviceCustomNumber3 == \\\"191\\\", \\\"P2P (BitTorrent)\\\",\\r\\n DeviceCustomNumber3 == \\\"192\\\", \\\"P2P (EMule)\\\",\\r\\n DeviceCustomNumber3 == \\\"193\\\", \\\"P2P (Winny)\\\",\\r\\n DeviceCustomNumber3 == \\\"194\\\", \\\"P2P (HTCSYN)\\\",\\r\\n DeviceCustomNumber3 == \\\"195\\\", \\\"P2P (iTunes)\\\",\\r\\n DeviceCustomNumber3 == \\\"196\\\", \\\"Cloud storage (DropBox)\\\",\\r\\n DeviceCustomNumber3 == \\\"197\\\", \\\"Cloud storage (Box)\\\",\\r\\n DeviceCustomNumber3 == \\\"198\\\", \\\"Cloud storage (Google Drive)\\\",\\r\\n DeviceCustomNumber3 == \\\"199\\\", \\\"Cloud storage (OneDrive)\\\",\\r\\n DeviceCustomNumber3 == \\\"200\\\", \\\"Cloud storage (SugarSync)\\\",\\r\\n DeviceCustomNumber3 == \\\"201\\\", \\\"Cloud storage (Hightail)\\\",\\r\\n DeviceCustomNumber3 == \\\"202\\\", \\\"IM (QQ)\\\",\\r\\n DeviceCustomNumber3 == \\\"203\\\", \\\"Webmail (other)\\\",\\r\\n DeviceCustomNumber3 == \\\"204\\\", \\\"Cloud storage (Evernote)\\\",\\r\\n DeviceCustomNumber3 == \\\"211\\\", \\\"Document management (SharePoint)\\\",\\r\\n \\\"unknown\\\")\\r\\n | summarize ChannelType = count() by Channel_Type\",\"size\":3,\"title\":\"Channel types\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"name\":\"query - 9\"}],\"fromTemplateId\":\"sentinel-TrendMicroApexOneWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -993,16 +1134,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -1016,8 +1157,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] }, @@ -1025,8 +1166,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ] } @@ -1112,16 +1253,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -1135,8 +1276,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] }, @@ -1144,8 +1285,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ] } @@ -1231,16 +1372,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -1255,8 +1396,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "UrlCustomEntity", - "identifier": "Url" + "identifier": "Url", + "columnName": "UrlCustomEntity" } ] } @@ -1342,16 +1483,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -1365,8 +1506,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ] } @@ -1452,16 +1593,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -1475,8 +1616,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] }, @@ -1484,8 +1625,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ] } @@ -1571,16 +1712,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -1594,8 +1735,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] } @@ -1681,16 +1822,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -1705,8 +1846,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] }, @@ -1714,8 +1855,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ] } @@ -1801,16 +1942,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -1824,8 +1965,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] }, @@ -1833,8 +1974,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ] } @@ -1920,16 +2061,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -1943,8 +2084,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] }, @@ -1952,8 +2093,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ] } @@ -2039,16 +2180,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOne" }, { - "connectorId": "TrendMicroApexOneAma", "dataTypes": [ "TMApexOneEvent" - ] + ], + "connectorId": "TrendMicroApexOneAma" } ], "tactics": [ @@ -2062,8 +2203,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] }, @@ -2071,8 +2212,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ] } @@ -2981,7 +3122,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "Trend Micro Apex One", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Trend Micro Apex One solution for Microsoft Sentinel enables ingestion of Trend Micro Apex One events into Microsoft Sentinel. Refer to Trend Micro Apex Central for more information.

\n
    \n
  1. Trend Micro Apex One via AMA - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
  2. \n
  3. Trend Micro Apex One via Legacy Agent - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
  4. \n
\n

NOTE: Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 2, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Trend Micro Apex One solution for Microsoft Sentinel enables ingestion of Trend Micro Apex One events into Microsoft Sentinel. Refer to Trend Micro Apex Central for more information.

\n
    \n
  1. Trend Micro Apex One via AMA - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
  2. \n
  3. Trend Micro Apex One via Legacy Agent - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
  4. \n
\n

NOTE: Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3016,6 +3157,11 @@ "contentId": "[variables('_dataConnectorContentId2')]", "version": "[variables('dataConnectorVersion2')]" }, + { + "kind": "Parser", + "contentId": "[variables('_parserContentId1')]", + "version": "[variables('parserVersion1')]" + }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/Trend Micro Apex One/ReleaseNotes.md b/Solutions/Trend Micro Apex One/ReleaseNotes.md new file mode 100644 index 00000000000..19df1aa026c --- /dev/null +++ b/Solutions/Trend Micro Apex One/ReleaseNotes.md @@ -0,0 +1,5 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 22-09-2023 | Addition of new Trend Micro Apex One AMA **Data Connector** | | + +