From 728b44ba3e8de69a8ccf6807fc07cae0b551bf83 Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Tue, 26 Sep 2023 18:47:28 +0530 Subject: [PATCH 1/4] Updating Workbook file names --- .../GitHub/Workbooks/{GitHubWorkbook.json => GitHub.json} | 0 Solutions/GitHub/data/Solution_GitHub.json | 4 ++-- .../V2/WorkbookMetadata/WorkbooksMetadata.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) rename Solutions/GitHub/Workbooks/{GitHubWorkbook.json => GitHub.json} (100%) diff --git a/Solutions/GitHub/Workbooks/GitHubWorkbook.json b/Solutions/GitHub/Workbooks/GitHub.json similarity index 100% rename from Solutions/GitHub/Workbooks/GitHubWorkbook.json rename to Solutions/GitHub/Workbooks/GitHub.json diff --git a/Solutions/GitHub/data/Solution_GitHub.json b/Solutions/GitHub/data/Solution_GitHub.json index 0441979515a..82aeed79c0e 100644 --- a/Solutions/GitHub/data/Solution_GitHub.json +++ b/Solutions/GitHub/data/Solution_GitHub.json @@ -5,7 +5,7 @@ "Description": "The [GitHub](https://github.com/) Solution for Microsoft Sentinel enables you to easily ingest events and logs from GitHub to Microsoft Sentinel using GitHub audit log API and webhooks. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n 1. [Codeless Connector Platform (CCP) (used in GitHub Enterprise Audit Log data connector)](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal) \r\n \r\n 2. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)", "Workbooks": [ "Workbooks/GitHubAdvancedSecurity.json", - "Workbooks/GitHubWorkbook.json" + "Workbooks/GitHub.json" ], "Analytic Rules": [ "Analytic Rules/(Preview) GitHub - A payment method was removed.yaml", @@ -45,7 +45,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\GitHub", - "Version": "2.0.3", + "Version": "3.0.0", "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index d0df6dd7dff..12567605b5c 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -3791,7 +3791,7 @@ "previewImagesFileNames": [], "version": "1.0.0", "title": "GithubWorkbook", - "templateRelativePath": "GitHubWorkbook.json", + "templateRelativePath": "GitHub.json", "subtitle": "", "provider": "Microsoft" }, From 0c66d29208cd0a8bfdadcf510064baecb4468335 Mon Sep 17 00:00:00 2001 From: Github Bot Date: Tue, 26 Sep 2023 13:38:40 +0000 Subject: [PATCH 2/4] [skip ci] Github Bot Added package to Pull Request! --- Solutions/GitHub/Package/3.0.1.zip | Bin 34258 -> 30671 bytes .../GitHub/Package/createUiDefinition.json | 13 +- Solutions/GitHub/Package/mainTemplate.json | 3194 +++++++---------- .../data/system_generated_metadata.json | 33 + 4 files changed, 1374 insertions(+), 1866 deletions(-) create mode 100644 Solutions/GitHub/data/system_generated_metadata.json diff --git a/Solutions/GitHub/Package/3.0.1.zip b/Solutions/GitHub/Package/3.0.1.zip index 2230c296c194691169e0fb56f6ea05ebbccef759..deb1d5638db68f091349d29f60c22151b96c25ce 100644 GIT binary patch literal 30671 zcmV)&K#adoO9KQH000080McwaS2X^>wkZw(08CQ=02crN0Aq4xVRU6xX+&jaX>MtB zX>V>WYIARH?Obhh+cpyZo?n4c@5WL_FSh%hxm-tQw`pdQ#+NwF+}N26L_!j3kYE8& zs?zg+zug5$Q4*Ed31w?K_a%iYbBZbU!QNw{VQhyA1eaW6AsCdGVkVgz^M_0v-^mZ@}7r~T)-a`M-t|C`n6 z7p*QXHRWlngu$hr%gAV}$F4u5sVftB+L58=eRUG(hktjKEl=)3KbC zzhOk$H}X91F!x;V;^WM-Lyecjr@K1WWjWjRd>6O7%Qt(%M|ux9wtM{0fw12R5v1waSqV zOVpmY!!ltU2j!#_<}`CtY1ykl*kzd#+zMvISQvjnjw=N>_TS;=U`Oo2 z^RwK7mkSA_Q_joaepYIl6_Q~hpRA&XMc2)e%%g2WVG|_ri-N=8nUTkjSvP zHdiB@q04^Hg@LU)yfY%qvM9F>w#Wh54k&OcnMT@V+TdkRE0fIVneg+;bOxNt2`3@J zg-BSqb0TNR2<|Hhf=6h;UzmVy%oKMZ(}Y4%3h)JaUYvO|u7H>9KPmkIIhi~I>A8Ut6Rrlq@_RU{$RBal1JeS?cNkz3 zgbX-KNLEHz@H@B?k7IH~Tm@tygFvUj5O}x{Y3uBxr8JKE?BYbn0^niUiB3}yIk@Gl z5PSRN&}Qz~nuEqGF29lHXWIc8y&UL214NkE>o3Hqt9+ z`N8p#eGCFtdeNIn-s2_#K_mzZ@%Q7CKuDKB?me2fhmz!~Q&IXcuu0B}{gkH>xeE3X zg$Of~fYQOZxMA=Gz}cW)I^JWQBEzN3EW+%l3#dHf2JWWcU*hjKg)!mCF^&w;@SKd; z%N+Qn8^6NwpK}z*g#8!L!ysv+@30a5$B48enP*~*gJ z?&IpI_Z@bCzRPADb(a-u56D-Mw6{;TG6N}WJ1qcSMnpIUFJW61y0_*3uPdTbI^uO= zf|$GifD6 zg(6d^-E^VDCr0Pl`p!A}#~=TY79k54oyjY+JgEK+b1t)x0tl6CB!%<_nFYq44d0ae zuk6MxGO?OTmH6!sO)|_R7^5>YrBXlPe05LS_K_n?CMn;OawJd?eUe?C4wJU;9le%CuZI)L47 zYP7puck`R6?L;RD~34oqa7*DLIy#1DCu^x+l4ec^Xj)?Q?=<(vCS;zqKNb>&mZ{ICmpm z^~f&FU206!D2#jiG~N+`Pf0B%;a-zIrH3>;Xr{h0Oo5&&`5x%-R_?F_6r00kO*j$` zwFlLk5z3cmP}szB40SO~%8-3aL%1xZ8_SC{=ADkknlCmIDn2NNdQSJ?4}&BVl4-bT z1y3-wr>eIs<{%eMB`5%R>$0g&e!EypLikGETGfc?0T-8nXaNfmFkqx6N4+VBX3+tl zzB=A1E^vjK@v1-DNZ!K+(O9Z_SX-4Q0by59yKYdBg}MqS?iCZS&3nCF#O42sT=-*2 z!+N&8ng?uLg{suMr#H+WR>a>zMUvCW^wVS(L z&?xtG$Kk?mc%Nb?ZQDUxo(h%G$;<>2kK$y;ddGvpbi}7K3jm_>S#An<6D^TErfVqoe~1DcxcoqB1Vr5p*UQiK{0y1@ML5>FTYXK}El&4j1&JxzUQu=sM9 zZsG;c-IVbxQ!+@b2jYvAL<@q1(g?RZ&++BHpeA^Zt!(ePt=M7^a77rm3N_xcNo6istc$6OU0gK~FM$cDrQaa5~=W?}K&KEmRI{O>tBzP}T6j8OhfyNK`i6$^peq9J;j zJMB3Zjt=hx3^JY3F+(txrFa@XjXT^|d~6lKzT;!3=d@W4IaX-w++Bfvw0DQJTiD)r zEHrmUdlM`q!Ze;@9_`Ip?KUWQuJ;`Y%^l1B^75SBWubj^Pv@@xueARXmG)6{$IWX^ zJnYw8rNZz~Yyz(@ca=H2)%`cYlt+PWVs7e5vi(x+HkvA}V>)XKDPw`sjz6 zO+vHn@BT%z+K!X8m(jL2(0_pNc0C}go7%HRkgz!xcK6W+5QuQ${m`{Lsksu}2KuqS-r@L@G>{ja%S5oJR6#+elZ-HMK@v2KJNNz3ByS#jrAj`U_fA`BvA(v4LK&gu`OW@ zdckERn8Lggtc#igcnH#DiLe&4PH=@!%|kqgznFv6o`UTl=Ll(Kcogs^pF z7#JRUhGF!z1t~QTxqB*6J`B0QedxjE5VkR5YxLDw1rykN&H)vtp#I{$Aj(xx2*BTOFvrFl(w`5N`>JI=2$j{o zZBf)TKH1|`-6#%4E=zOrR`|YD5S!gIkTjm`zo5c)m}U5~tTQrvULjPv4IOr@aInV+ zDTNW#PTs>*E9UM46I1V~vG^Hh_(ih6lIm5_?yak(e9 z721Vx8}vKI*n{=a)z6FQ+-3R7w_29pt?5-h)6}{kV`+clCtCnk?a%mZOIQ4!b7hM= z=({V$^7G}&Yu|UFZ?qIVRKL&CT4AjC(XLV~Kca&qHEV^B0iiUnA6!59A5cpJ1QY-O z00;omY&uu2PF63dXaE4o>;wQ20001OVQFquWo>Y5VRU6KYIARH?Y(Pv<2JH3`h9){ zw`ZSaySHTPYDt}R&UU(U={0?OyPf2`tKG{(iIB|Ql&B#oJD%+R@23hE5+nhN)XlOD zPbRTR0K}!LQ1zgy@Ymlg>)=1b(KVUc2hXj8>nNIs&reU;lar}EvnOOqX3>fL??pgP zM*ft)3r|~(=Aho_)EmuHhs-_y4$EDT>D;p;a`Hc+Kl}SZ4cj02vj|@OPJ+<&XZV@s zNdy1KUQbD6J9dQM{|o+xC-x$`_5&>V)*S_Y=#L|-ZiS2a+z+Dvo{DGK8`=c@#uPsv zVx>>Mw}{|NR>V7Fjs3v-#f^Sl3=g3AH~QJR9oX<`=v4Ay&mY+l>mz#t&!W3I!B)d4 zaAy<#J?yqSdqZZE=o(%&QxuNBd zz`cP_jst&6i@!Oy;tB`6+u!JazwtH6w^wFfvolz6o<0M$!N-mcKavTh0pDWOX@!C; z#FB(o9jJ;RAs~(5z(hyku}4Pu+hHvsl%qrO{_yzt%aTFMW7UsIOI>Bg`iJ{f zDu3fotn-=e-9_#wgw-Pfu@WZw1T5mth=&Url4vp4k74NhUz>Goca=qB%m&{ZEdn>X zTgElzI6#aMsZVsVcmSiMcWfy*ZRB1{+d~^Rho&g7a9{efu{(L~G?UtYkl{7Xq-Z2lNbZmHO6nD^96X-^ zll#F-wm}tsp`e2NHBB+ymqiQYPbi4P|Hx(2Yv(9Pem#s?_~iYZu!Xn1*HB|}9fhZ{ z%n1)`mMpH~7a*@{meh)1%(#hEudo?uOuDgCA*h_6WfM~{BSL}rG$$jZn5Hb$HDjwC zo)!%4u(qsr-5J#nYm1rtuLWU(;i%m3k2QnfwA_q!9rZME#ppxeJBv|FO}w{}{gtG; zA#-Z2+rWMw)()M~A^pW--T%b8&)d*er&V9cePOMX8aDf$Zf(Wb)6)ZUACe$mP{w2D z3&)MH7xDCDiY;IFRF|dNhq-Ty>0O1bPD2}XpHIXNK=&a|Nex6Z8K`eF_mDycWK4Hc_|DHg)w8M7$gokPWF?nQOG9Tri&vg0yy zt0(&NlCh_TPWzG=v$<)W77DFD${4iy{%%6UyB)5~7lI1&oS~Yo9B*XlzmPjx5{#H< z4CUKm1+6l*x5`laP86w%)ZSV~?K!1K)x>h@TSf8N4fUy%pDcZ)C&}iJ^2dcowDMUl zG)jq%v*EDY==NLnk!_Fa9eXgW5A5-<-X0UuJ3Ax8;kXyir@k3^P1L2NbrGca({vu) zod;?b!7}chs+Un*ILx zY(&Q0&RH=_K|BJOug=qkCdBIBimo;QY+ z-=oDE!+zIp^m_IF(C*edqhYr`XpDRHCh7NE_Lwvqqi!*w=PV?3DJ`KFnarCZ^mbW7 z--*q;0-?7n5c(?C=8g$nWqPW}cqyTG$`N{}B%!y83B6N_&^uZ}?`)mWJ7o#Iv!{gK zsX*wR{U`KJIYRF&CG>7NLhqI&^mZ|!cS{j^S4-&KtrL2;ETMPzl+e2s2)(=igx)Pj z=-s7+ekKULSxD%#SbIEfjK^T7I)k%zz0(*q>cdvMTW@z7o$;XAwH;@P*?Lxr(9g7l zeztW&KPyYpYBhg!p(V&>nd!-1yrzP~>)(O2= zme6~9O6a``gx=eKLhqF$^xjfJ@0TO=eo57(Q%vanQiR^u5_*5@gx)Vp=>0t<^nL|G z@9#gM_sbD_e<`64$`SgYB%$|<34KtC&<9#VA8eh_2W1I;u&0DRs6gn0{U`K6IYJ*S zKU!*(JX>m%A@$Bu<%PAg{B)_IKQwA=|J0~a`q-$kr}R#TQ2OAgvHuj011fcN)L2gQ zWzSQaCB^%)1J#lzs!cu3@8G1g{88!No|RTQEPV*4rDcyxm!Fq5OCFfAawTYf$%$#R z+>vQhe`ea;{-J5J^r>lcUyn_jRnASD58&XmS@PsGJ8)Hz`0TV8fMn&mgU;xz+ji=` z=D-G;Z?)^gMyp?MpOJQ_*(PW07Fj~``+9=fta60fd;n*t z&60%(@tT|evg2hDN6-y3z794|G?9i%q( zC#lWtAEh=+pQSeU^)R(r3tG7p^K^qjD9_fvX$vmgOt4nFgylRAEWioG-CG(xA?kkXaR&y^R^Hmi0 z-IBRVZC4TTQZmmwJSx9Oi=FixyF2QTdS@_h0j-}o^}*SATyHr;(g7am+MRwendek? zbtx^GSB(*@Oy=#fWWEz^eFZYlD(gjLzKX8CTQXN^>M9~$O6GZYN9Ffuv9q%ts4Klj z-F8L;p!H#|J{XPL^>M2?X!S-Q&%1+SGS6x0>QY)VFVfLBLgt;aWWEyxeFZYl>gPpd zzKVLjTQXNE=PDvzO6GZIN9FfuF)|wT&&EL9?G6FmyxZ#6?JkhH-5H#bv!>JUpEZif zJm>7FE~O>&B4@{qka@Q(neW8caRoBZ`Z^Yo`6|ASyCrj#tD}mDmy-EeIWnik>@(7` z$4*-iT=Bs!*?v~6|j*coKUP|V9M@QxNXt7bd)$W1Ju8*A&*r5&~_5N_ss5hH^hd8ZK zx6vCFlX=e3QC&()=0%Q<8zJ*vSu)>=pW_N-p7nDqBJ)-J9Cu6RDmO=2D*28z`t=F_|7Sxs`#jh&n2EA&0Q&pYOB#|v-I5cc|dMla+{Ro zS#k9VI&-Le!su2iP4>ZOB~#RsM9ES;hvr2J-_PO+p^xuB`>7y5d-Tel9qq34FzBz^mUx~#o-6x;=C1 ztZMvB{KB8pB6IuB^KBOen}=AA{Ao|&xi$BZ|6JR% zLe92U;D%qrnnh3Q|4pnrkQE?P?df4iZ#VGA&;`%4hdgI`&2n6OGV?>)HK4Brdyd@$ z%9}#>W{x%WL10>!v&)(F?Abf`=<{dKtk+{~-LeC`KLPr|Z(&Fl2PV*>No+08pFp2J zc*KV91Y}GCEXmj5C#W3Eq2Gj;#>D+GC$q~4E)SkP!vuoK^YGcT%L8j-dmgA%Cu*vk z1or$IbuL#SEya(D0cmZJ55VUlRr`e>!8B7E4akV#1rW-Q(yAVr5GE}c9fc!U4;wQx^{i2+W(1!httUMj+E&L}&t##|%^Q?1_CpRw2KlOspcK)Rw zA&}SqTA?3A*6_}{aHoXITG)ae3%|bZ1mNObzy`Cz;Kfc_WjQ@Nq)9J7a&jqHS{S(W z19PyLPC@nq|KcoIFRZEk=TT}xj!*8EZe~1>TGL3IwEkLY@r6@I{AOZgex@t+ChI-kSez5F`f7Es~ zQwnpf{_X+{ENnf%>wa)+yG5$Dq=FXSl*6wm zVK>U)4i}JrE!==Odch`jpMOhi9dQcJqPpS8pO-H!y7QsL+VCoLpin3Z7DV5&#ipiA zIfr;8Zc$rMMd*xG~+^s_?GJSyN!rHXHLZhiGZ4~rkef~t)rBa|* zF3_%I`W3VS>QFGFx)tbv{vwi^z?L%_Y3kmYQ)AS1S={<^!cEbS!F| z0>xEZm(tr5-r*K3=x07fWWK(J`vaId?=OBrQ|ICuW-Kw?uIzvGB=RC&FAZC#5KgDV7S%$(^EE*L0xbZ(EpkYPMO zcje0^<8c;j*0S&`+N+9os~jR-P!h_HK}7xG(u)A~U*l!t0l#*1(x3fkcHy`ou!D$~ zQY~Ooi<;DGnY1}!mcI1ocZjpTq0Q?x3VmbuGOe6?fOs}Es}ecxZc?k6&Fe}MCi1N& zB36{?#W|bxmL3oV*3tRLx5t(^{9&@-H+nBDZj=P%ze9H?*b4k9$EFh5GZtb&alXai zXB3q|&Q?VE`!ho;?${@jiQogZRNp6f7ipm)YGR-V-X|1Z#o~)F{vl^6@YN zRpn18O)VSR>Kk{q_|t;D40Rm20ea;vmS7{mFSbuCJe^?s0ctQq|4)ljKOF~b?~?#^ zVV{-&hUM@#EFsf}LJM&gC=BZG4PnFRip6{O>;rTebVFRRc=OrTmdFXY1%wQgy8tET zRf-HVYMD&O^4=MO=2IWu)$zY6Wg@eEX3k79ls%*Yg@m&;esk% z3&-^>yoO6>6|6l=z*(G0(iRZk;w1|Fzd&JB?Z*40aqypk#OG+r|NhCsyP{VxcH-aa z%nYlK-5`wO0`>VFNR!#$;X~9KqlO_f)+o2qNmqfV7&5gXLzurQo?bB%lQ0{ zgwMrifQjJiu18L+pZ<&jFtaUmLUL~?OVE=fJR$Yu?!eSc=L=w!6DA=dJBV<`a8=Pv zpnBWS(5B!{JiP}oI$KcAVs}eh@8@7lfnMv-cG@XP6Zvy6MB#%-wNQX*Muc?`6(wjq zgj${Wb6AT_hzletKFkj%?!Y_)^$ecGZ=OA)rJu{(f*_7v11S-=D9hz|VQeHNE}o$e z$&na}D%(Ts2#g7LGJ}q~vs8PV?IB2E_zEo_ZyTaNhiFdZ`!ex`q?^HPQb}+^#TmzN zGm^rcA-2Q}A6sk!u=r8*M%oi)Uo}A9EG$@KQfbIl!Xc;;OpmKoS=Q`9V zw|@Kh2F&W{njIz6Qb=y7am6L+_5`Dx+Fx<#foKSE1KtHUYr26|c|=YoCtS+^fB19E z=ZHv?Y+C{Pu}z6I!yl*&v)U(pUSS+hs-4^+j|0Z3jh$CcfZbu$NrbaBCjq6c8Mm~7 z;@~NT8syog8~bOrvlk-^tPJ7^Mc2O5-VulP`|L#CKRNy~aS^w%W`5+3T|N@1=P*1J z)qpW}KS!Tfh)H}Wwl*atan5|JuoM*bT-t>m%)Xz1cpv-#&zl9Iq)0M#P`|C66NLFo z{vDF*0^2@e7kWL*y{ieKp6fTg0bY{&z;yCRK%Js{$m>|<;pFgX4}nrZ3ZdMK>|rfw z!g>c}W#>!M)?g<&cN~k@qidm>Cjw1T33W&ZWUxcEnHu*JxNlmmlcacR4;!H`jss0FP>h=jvBS>g0oHDdK0z@OiH|{_;d9K?n%||Hg?HOp zKRTOeK_!w-AbHF^39-HR!Ni_%#5X&!OMTmLNIojJbdRt{BOf+UHqd0s|1Z9iKLhIQ zL1v~uabo9lC@q-q?&A|kSsu@7iTUKhAZu^O!P>_c>noX58vRK9>BJF&|X*G~Q+6`-pD(ulYJ($5W1%9++ zLs1aibWYw#VxFD=fFQIMbJ}36F(pbP8j%*NVaE&@39tQy=g>xn9@U{k!o(%Dp8|Up zvLjPaD0uf{beR)5JswJRBhk(y+G@<*3b&hs6UG;~y-XQMPET%Xe2G8f$n^&4Lm2m3O15&rw-x7V+Z(MVw4jO@*w#T@p@Y~+#{6rwCZ zr&9REhiJABOeEhKy{n!(`zpr_NZ!A6?_~e33*+I`4MR}<$`fh+ zS@uc#@5}_{9Q)UBlaD!LxwpP9W+tw&q4)w``|y=at1Wu=^ zXez0X%Y5@Jp!NoH z9tW_bSG?)}PQfg?Ae2%OBUzElzmNuU6yq+Io6=v&0irZl2ON9(hn|u|5lw7YKGN}v zqVhXMRAF2bU#hDuB}l0XXYWrmgiY#fJEKsnD+fgVe=HFL2Ts~eaP=4@@x^oqthVFX z(%Jqif~hLiuPWC5CetFPy-h^B=63E?qFncHr`CqT7B{2_K3z2yR~NMU=v0HXMZq#v zU=0;Oz4aGw`9)iOM*W#mbh(o)*NM?t851my%Oh90H!3x-~<-Hx}xxA5dX%tTrgN zFc>zSZKWvqwM@{f3US;_kn4_uTUQBcEf)e`gT=41UDXuukv>1lWoJkf0kt*nF^`Oxw5G>|oRc zdG0*Ov*MDNU`|~y=kg#<OJ`$A zFy(raQEdNJ_1eTy-R`AnR3*kmE`@mTA?S4VaP*+)I?Y z#BcML5iN^qBp3FCZbV8q0ac(*OrXk8LLiEX&wRN)QH@*ae;_vdbB}rEm1#Qm5d)zf zu>VW7V3+s+N;fDSDEi@D;wqPN8hZg&|DU)^T}@%jb3=mYba)l{2o>P-BW|i*+0m7A zT*IdD^RmM8Vgw97ow;N3rwc~;(V-tqu23j|9(0gYIj2K>!8W<8Fn<1#%>58uVD54a z1@H=6$~EK%xw1As&3yJUdWkBVqGeWEkjmAF6}v(xSJCy?(>a9`!5YhdcmWSpb-*&> zRT8h6T;;^KMA5|WZs;;kg76Adx{K~tBLN}it<0gnts)+)R4WqO0SsU9`XMo2K^w*dmY=?pMOxq}k(_Y`s~v zm@mTH7({JUEjQyTS%(`BBUjmCRo1%D z_NroY8C%QPTE^DevaPk;#!}l>Dw`@3ZnoTpDrGw*yZV>SiswqHN^~~R%HnsgY^G94 zO;k40a(H>)Y@yW^BCYMSip^v4hZKG3;pGo`FlS^fb4IqIGct6i{WP*?Gf+XF$Wd8q z|BlLXT~c$-6Fw@-(&^?;%*uR0Hs)q|KM4!%H|7{B%qMi2Iy&UW889-~O6V2@+U@X; zD!BM;A#-j*%76#27?W+P zAVrwIZhz0hS z*5&Q5XVRiE3IjtYMP`=*58r?sP+OjfKkM%c4;6jpUiny!Q2N9kk7;&eu-zv~G4b?@ zKCZ!sCEEo*5zH_Fl(?=}R1ggiaO>@bfe~Ld*f%K?MHDY z+FtuiRH;gB>`YYGx;YayXQJjz^q$T{+Z#C()mi|no``0$27fCVp(_`(I5q)vaYyyRYM#YX zWP`m^oGBJ@MsZrSwT~l(FlRU9mcWfc!{{pyT4M!8iJoR@6L0+yS^uRw?(O)FY<5k_ z)V{;~*)GlRA4dE>0d`F!5Oe<0)5@@J#{SLCA+ABQKFi@daRVV8LU{EV3L?S4uLF3@i5vdPH1Lmqd9nKY8tTRk zC4J?sxel!`?l*=`mjGjtfm81|qh5VD7!2yoW~1HelkTw5C$xc5U%|1{5@>gPM1zq& z<~{G=fWnXb)?0W$@0G@9ztEd*k|$J~W}|a>8uz!@@m{ZY)}TM%c(WpTJ}bZr4ea(yZnXX2sqj}S5w={41XSzDgUQ5@5R(GIl@2t_$)oQjH z16|i!ou;Ja-CWAfV4`^dE|Z(Z5wNn1ub5fs+!Hgw_Nh2MmRG z^Z4u%8>#g1r4o`z7r=iGBp&|Ee|`QOR{rwfi;{7Z+mVHy#V#WZ)eVH#{_QI=#w&H9 zz}WV}5=7L<6!|&ur!g%kq?W@z@H-zzx))*(__PVW;106OhcE708N^5j*(jWXqR#=YjSWjE?)EoTIj*Xh*v`ek1)oGHiH>U3 ztuB{}oM4*GBDMF8JNudhrQuhvpwk4ogV1D9lK@M2V~Hwcb#T$ zL}CRJHDBVb$c)NhT(cDvVY4mLY7jM}k8*p5XH%0k7M z^u-EB(`dJ01pQ8ZFlrA#Fg3gNeizg|*cP4UnbSJ!jJum14a|5zq7vgNDp)Y0KK7sV zU4mBpX5YBKNwA!>^Qz4*N&(L|A*^D*GwC4WW+w@ zH^#`Kk+guG!iQbPzm55y+)4$Z4I(Xm_AMm?T17HI*v|AG@K_MgOTA;k1ag>KhdSFj zCuG=lXHfI|>!wA=@B(Ek?(cOFX_MLW5xte|JBxSyc?ZPS#dx@=|l6i^xNkZk;o5pwxT=Gh+{uRBce03TS?~kprtIqbW$GPsB zrB!a%D=aR3#u~d|-W-CJ@zE6(-)dTrZG`psJ^6eoK3~l6tOieTn6^$gvUAU)#Y6m~ zc+aRQq(n_gL)e>eF@^oz{Wq~Jn)#ikL4f}r9b3b@gdt+0Wl92+=Qc&;MqKH5k9Vwc z;{5T>N?ViV&Fu}F({8vxB;Ssqz`09C*LDywtqp%mYdcgC$=kztBtSx{rb*>L|0UkM z6AA*Q8LHOBD&4Q*(a86FHfAuUe+;n4T#v{!5}TaqhTh7Llg9jj&7QI)X3}QbNggJx z3vs+&TiIo-+|{v>JOj(D^fD6lFGw$)85u#{pzC+i!X z?EZAJ?0EDe&nRmj<;lW=$#6HX;#E_~HmVRB6>fVf+?EI~T~8u|+BbTLA%^)+}Rh$fP1 zJN{~5N3IjbeJ!sNG6im5l|i$AZ;7*&A;SjZG7#5Bwhc`pZUcE$(>xxrX2FGy0jwSY zV8v7sS>x!WG>(sat=Sq{2`I2fD#yqU9M&i3Oa^<3{ltdugy9y{fvdV^5-TWb$1&MU ztebZe+oC3OsZKodP=v{nOejwZqS*9)Czs1-HOcIMksU3Np5ja&sgKy9bRk5Xe}yNB zN{E4%e;Ma-QKWW}3%;W)85iOlDit`VX{ z53&X`Rg(?JykAI-PgYGDXN?b~W-+w%3Ofl>Yj$*w8EOt4=lS*Z^Xc?C5O|^T_$b(U z_t(7a7bvw&M$Yge?Ms&bBxa}YU1#ecTNyF30kN>m#jt|d*dIBdu@N4VDBu=DilZNd z^{^SmzJP%xQ$x35=eNbGpzD^ovLe@2L~-wrId^D_X)#}Bc)cQ#?ebW+3Z@sHz5nzl z=G?jPfBJJo-4Npl#!XsflfZS-7Eyd^ESyKP2h7PlW)GRW)O5<0Px+{(&ZPV5qx|R^ z#&qp_PMAFAzL$I=;{v|~Gzbd2$p*{aGtp+V-C3r168scdES3CTxot`x z|JC^RSMwVOx+{Gw<(jJgpyZ5Nsp*sxuDa=!noXQ<6^*8Rc`LOmJZlw=#tyZ)M&n3Y zb;U_w-)UCr%QqT#8u+(wFvu4vw9!DG8M_`MLC#a2!e^S1@oN@icRtDbIm449N$woS zuE04Yq8o>~`7;ql{JR^vOyCF@g3E%~2{{{{2Wm4EazzZ88~*gKh3#GVsj%DPIL}n? z$^?WK_yf^g8xJ?2P8B*@5K7nB$oW=YDSS9O;o7GQ<#a#HiyA8`@W*O;VUW`cvxe5F ztnMT!mt2n}?DLw#MU=<=oKmLQ+X)hUO9u($-RX5HEKY){Jv69fT8s z;E<6!<@&tV6}DFFMa%qTl|I&-$mMQM?Rk1?J%99iHuh<;H+J;K$1^NmS1OrWF?e-8 znFM5#(C8--cSk0`es2jF7U3(L z!>%O7Kl1MwL2d-O5#&aYZ(NWYd7e3(M;x0f==e(s>7Kxh1W)g-s6cu^up?Utk&ZXk)kLne zeh(%*T9L)5bh@IEgzw3jefU#V3ZHRoR3;U;p{dE(({8KfPp^#UaBHKU!@p4R^a1Ff zs6!4k4memNO1JJ zDHRb<(lT@E-^hjdgZ-4lYTp+zE|{QW%MVg+F*qyuyfEBI=_j_IGf>WBbaT$0C7pOw zUOF=Ol-u|ueko%xJr7PcD96&J<#}-d??!r#>%GRRy<2e8ST6s%mtJn}r zRJB#pdhfHKP35uPUJyl5bV99EFvJpX{eU={mcD#bo~y-)$#)bvvb_I=!6BMaNZHKy zV;mxeqskye7WDlXfe0AUjQ}-^%5fg$G>tFcHhCHlYU86G?Pi2Lrd}?u{QEr6EN287kp*X~8W!9F@^gvC2czPcs{-);H;6 zdIPQE*0j88S{)P7W`aFcdCTvS@u7Eqkot58k4cdIHWuSkLw`Tw=$N0t@-+1F2Z+zpmd(LJ8RE@^Dp^b-c2I)g8 zMX>AM?+4qU)qy#e-WLU_oYP#csutDaiTt^1CS&^_u$7icC=&LHg;^=wr%a$wr$(CZQJI} z-gj~M-(7cPWOcua>deS|RoTCMn1im!-0>;U&%2C1j7BH{wk6^OK>H!d3pjKg3+~Mt z!>wJAyl=7CafB3x#&k*|@-k+S38<+eR5&Nt3C4(gtFj=U`ZEbxqmk5M;Q)JsGKEjc zS2z{oWkOj3HDKkqeWJ+B9lG3pcgwfmT~iM zW0t;x$jv%f$OAoJrzn7(~TIpRq;)VzVWx1m_e^l0S+)VFR>tDjgOYrmL>8 zLg^`}S#*jB{hY~ZbdsP1)a}2NR=f&{EUy@Ny~zJ!YT-B1e5GV$)uA0&{dk@4vwf-= zAyYoUj7{*hrYKELI%%}Rxi#~M{xMM>f-M!rhZiBZ2^UkDH4nF5UxTzs7kVy# zMJ(N~jc|#+y>bKC;%=Ab{k9c)#T?t*8n^d5!PK)3Y(+eZ)=9Bp^||ejJ&nSW-eh~8 z+mAb~URjBdWfjf*KplIG!lXs4vG6`xRyaXtf2lY8kE1J!!FJ^=Z64*I(>Foms#bAvq^ z(O@G;a;cqRZOUC8+(;C6mjyTK!bj_VAQptG&ip*G6@s%*Wt}k?S>j=ycclR6>x;};9uB@|BXaUmyC1&v?5$CHSPm($D=}6=a(P7at0jqQ zlH%(sj&zgo7A~^b;4e=eXzH2xTZr{0V^>S~5MkE%N8~FUhFEv_J71lE2l4Z;QlkR9 z*;lcD!E3fS(d2gnlUbLd{u!s@>}1j8w_*ZIHws(K$zZuI(0d2<1(}Zb;KD6v=!4YT zyH?abWKp+@4qE;EPPC?@AW04Xt+rJag#gcqtJO5tT7ETdYlGXR>@A;;A5}Ym-L>EE zLk{$*VopNs&*m5qAK!sqz8DTmFdq((f%*ULHL#HSrXRH~mP!2UYueUPs))tvfFtZ^ z_kLbM`3i(&@1YXGs`&W66O0UB?01BNFB)vD)-78oU7_e$ze!prBiGri+$Dc(Y$8<^E=bm2!lGuh} zUJ{?5)SF{EseOvo1510a>~7g1U(0T@K2T3Hu$II8u22gm{Xi?NQ8+6O&(DS|>XFLj zTc&%wJ#?%zt&_`q=K1qLDDVMXVWk>bI4kDx@j+a#1GJl=9&W1pjqnD2>=kM_6^C*V z7C6{ON53UHoYNXs`wd=3r(XeK(2jul-A}ZgpLRM01!hP~*m}RdpLO!|W?pp^b9S$( zrn6so+j024y>G*@KA{q@wj{gi3uHQ82Eh_lFGftmYWx)qy7WvSXPL>Y6yB#W^MYX& zL!{Mta2W@ZtWeR6t2{q0 zWW~tB{E>@t7=zZ0j~{aRwdna0LS0*OlL8$a4f1ul6$9_=I4P0I$;x8d6GbM8anCse z^|ylh0xEwFjlR{BGd5YgSA);KN6!2zg8a{9;soBfN+*(&P8d=fNmm=Ax`ymH5@7xr z?lIdYT8g0@QtiX1jAo=t1D+kZ2B;H8W=uQMFCb*=*0OCBuO_tFM%N*( zq=9%xMRR$zvl!BDRN#$d*rZr4R&6rpC~|!x?sgoc@O@B`SHWZm>6%rES^b`Y29!H+ zX@m(&P4AW&$CG=_Tscr;zAbE9lUE~9+J(LkrLdMaS#Mb+gQ~)-|Fh_G@`vTExo67> z4W6xhO83>+D+!mu=Ka6BA<13Wf!1d_s#L4%Wxu9N>Sg4C%va>A-_by=<3+S5t5B~$ z3X2q~lTZ}u!{qJCI5716F&|a%)lO@YJ+YS%c~?jKBmbDv0JA+UFMqYe2s&Of9_sCb zLe!0ul!+&6%1An;rt zgP+c@*z3)PJRY}d9%z-kws7*#Z7={)O3#+`sT&P2w+Y7sEvpH05->kXK^1elJ6)XV zkJC_habUv^Ph`wE9Uo=6DKQCqX30X9JwkK553wlzgjE!AMI%b8EOb*(i#!ZTl6~uL zML(3CSM6fZva5j?qy*x`01uUFm!YLq5`Diti=9(@RUn8BIg#rIfIC-SJiuOf!!mdp z722(xR3X(bw66{9pobPAj!wN5BrdoRW-TG;_4_NTyW(buUSEz{8c%J1%m75Iyx=F| zKT%XIbC^ZRt&8rN&Lvb~NZbsIqISCq1>b$CC$^4)i= zE_aw_pPD;zq_Ji?OWYUv6qV0kG&*vJ6cc`*{husZ%1F?uIiHCACXC{B=rUfkI%vH&%RV82B zb$}R|f>pCKdAN|=kbXn3s=zkdUSr~AsdgHuFx4Srf%v2A* zeK2in#gP!bhR}h`Xg$%J7Cp73spY6&ugTQubT+V@CXVN>i1lqRz`c!@G)|;stkJPM z+s= z;or!m*&ygFD9JLK%@ zJ~5<2G5*1N?;lorb+LHYG*7tr)v&UZ+Mb1G{dP~@PG0MD_u7}n&M2D%ZL_huoWLd8 z2CEDjT^qoFL1?~$mBqXsAia6&_qkB3;q1i+7U{lh_9SdLgYlfn<3NaaCt#8Z!w{8z zZ+Q4J&RY9iz}6T({ZjEv2M2Pg+KeVxnrjraPrt|d;&>bT_`fJ~%HRJdW&X74DWyl% z!K}cL%HIq|eBgZSE#U?*XkM*+ZqG4untqeMpD@dG8rqzUDk7UTG3Od*@HZD;82*aK zfyupQI?KE=RlM%sIg?sJ0`IiTXWw{uGu2d;4-5{SOZ6r=(}Wl#AfLn$I}FPktT{u{5((oRN7~rs z;E-dEz9^JlP-BY!vc#*E*wW(gs#m*U&0L(OD6!}5mknQFFM~8|6p^jHc-?4^hsYZ$ z*L_kXGca1D^GrGr(fI*VP$etGlfUcjL(l6@Mi#!rtGIF$idwLjYY<=QKSn8`t>Cg2 z_M(fmR)Gb?6w6DEQw5b(<5^Ubp|N)JIhwp<7PUC|!#wKuMn%0ePI_F1tKCo6B8sPe^ydLR}8|$DmX^z0U$9~ zO>sxFpv%Y9%q*3VKZK>pHyIKfLDicLBFW%pJ>g9Jif!K=UUXo+U?P@6iVbhcB4Ga2 zn8-eX7x{N~;2mP*Fu4W9qSlh8(gKk(DG+gZ*MRBagaNs)a4ebFAC?ieGZB|GGL((N zNJ4BTc|rP)&ddn?rJ2!*kdQq}rVCNTJp&U9x>kXixUVoySx87_&NrlNjtF#~80Z3v zPj48r*VyIA{$}7v7BXK2y;Gmi{SPEnE}qn4JU?6*BN+-lSg-}`@)fA=O+m#QaWUYb zm1loluu*f}thliI>|)zUV>@%Vg!=ZY8I9TBdrf+I>r$`A0oJ77EW9eOTzK!UxV;>Z z`lq>F+}+B?m&FUa)2s|;7luBGX6u`VivB<>ZWui*h<+jvP!|EoemvyqvwtFJ>cEA+ z>llMbfuYbPd*~j&=pHFj_&}AtKT>)z$@qtmcU1NvbzeUG+<-2qXAqtnxw?90e7*ks zilBeliR5ox5ox6@V`(;KN~0dMB-dDxS5%=*dgSzpYue^O>RE{letiyo70HT5+k&~S z`h^cE3pUe^(q!B8fj%+N`0VX~VD<8;{i?O$Ubo@9(dlOzDbE_NQwL)by7(OXoH_dQ zfAnyju-?WHT-tNEuc#XS+N2s@MZ|V|cWpCrbJAsdYA9JEzR_|#O_SzPA}y9Oi(EaO zOVKg&mxUSGS=8aI2JGTCB`lpX3zogPyo<`Cbe?kz&JKSH zTi)*;^2&hNXq!#GiSYc!05f%>aJe))OuQ};t+)-J)(K&wG3=RExuNL z(W)te*8<66k?ncGUPT^g-q0phQ@=(9sV<#mm6h0pRo})$2)i-~)h3Rr@CPCjX49bb z3Kw9;zJ&;t^@EU~tkpBY~ zQiq#rsd@>cOT>g0#tysLsXT^kL+B9(W+x#WjmYLwQ9ClW@aDD(=7^ss^vIT~5Y=g2 z$8M(39MPZ4Z!2wiq=_rkkl{$;dDx8A%T?6KU&|8cHo}f#lWd{Xg8-d%C>>Li1zov0x7h zkbVRG9>iAx(Z$d6YtW&&gJl_pYf^CMns*|+^Z=VzX;c35)nD&8!% zC8Kmvqw6_pzGfb%YfXNgrPZ|k;^r?zJ5v*p|J?87{v$;?yf&0-zI=gi4DaSy(!Vv@ zz#Nd2)DmoaqHA-w0;S9<_(wc#BQ3^H1Jh^|A6kE zkd`20&6lYlZ~K4)gV#=_XG{`;I(~gL%FRm?@nw!t18_bz`sI#xL%`h70n+ANw3}q4Ho>}JkjtceIWs9{?SHD2Q8nFiTUyWrco; zY6}w%9u0xWmHqZW5$K(cq$S6=VpFuP2O@otdHq~)p#zblAjm3cJ}>nlMB9UpfYMd; z{aXqo`rd};y7T)(mZAi36*L=KTji*ZVXam#Qe*&ABA=e}#f}CNiWVa`AF4OjWz&AF z1;w&psh8Hoo%w?pdzXBE2sa+AE9zHheYO&QDnXtyJ}Oa6DUCpBnRx;#(l!^&pglZG zf<4bQTG#bp*CFCZ?7cE8R{Uy86WscN;J1W6o4(ZCIw0}+M3a0%I%c@au=7@|2D=)w z_g$_vML33Pb$;~##+n~TePiqvw; z;()0z2i9rFyQCo{$uDHX3~s@$8^ZN{U!@eHUbj();2PE|Ht*-X!Q2s2dx*oEDsm+Z zNn8Kx?Kw%DG9;>D@c)T;ckd*8!guNi#>5VN-9*<%CD>iYpW>E5K-Kij3*%-gQizH1 zqK=?-y2!bKeNa;!oD)V(9_>&`Zf7H|tm0mbyN5~bZxk^$u(G^Nxm;s zxEq0v;5L{~Zero0$@AdqKbCsOFcifl?cDE{M4$#KJx%#j zl!tvHg;=PSm*@vI)@cZcAUn-!x=5_3^@%7A^-IUL|kU z*(0CHJ868UtUdG`$pv%2*fMeb2kfA({Y4&Q5F~?xykHeL=?c*87-5#atD_MGyR4f} zLw`i`&5|}=7}`MLH4**!f>{5~Fog?)L}n;pB0g8ageBf|zJw7=*`z5CHDM<9jzV4x z)(ji;G#B6sYf;cyKa66b z8Cr5&&u6Xw4~?K1Q5u_>M@X!xgNhJqI$47VxfgCWgOy>&&#vHzYa*jJ27UHRCKr%i z^+1;-L#w=Zi42q5dj2N<mB&W=0q4HNg+W*ahVs0hl2qt!-{gf{kqGnAct65a z1Vr^1#8EV{d*#)bhgcxm=u^jwx7yPCxq;g?ZJHonoC5@k@%Br}kP!()8? zwLkKsu&aX&!IMvVG0Wn%oE{^`~G{BR=8B9=e1ar$Z~XaDTZJ6K6X#S zcQCuC%vz#n$D1UK+VSHAiV~5t1vK>HeB{Kwm%(qEI>x|ESUXXyJxoLtMcl%?hii=o zwG)(g_kr&R#e7e9*>URXH6mBh+xwk{!(~b_6}BI z!p|h8QaUHOU@%<-4l%J$Gtqao{v^uN8SYntLPB~sTE>3khdhNgH_rerAb)k6Xp%wl z!dx8^JK`+TYuYmjj$WNOnjVC`;b>^F(^XJ%^!o0@o}Q?Kj!&<=HY8oQ47UG@V{Y#C zRlF3K8tBhi1`bVat_J7SyN$Q@3^zY^ngfu6C_+50ay8Lc&Z+UQUw3kASNErU2nR?%B7jk|gRiSiIA`F)r8XljQ!3 zV*-LPru0EgI0;#Z7}SsLf&83KEj?rrC5@82oqFfFS%+#Xy@>jfWoFRb`eExn{WlZbC2O=ik%_i9mdiMK z!)N+;IRTIHBV+*quI3c4{of#7>pvjgKX)ET2>J)aLn{7&_>F%c9?=ou`L1Tj0ypfi z0(XfDe(8=ZkU2Vv!6AxRo0EF&Vwe8o;P?X|82aAt@54;z#YL~j-@u$++0?*K-q>$t zD!d5jBq=E%JC_BC>4ia{#=#4!Tz#eQm%6jAo)Hyxg}G;5J1o&z ze<7%d(?ui43`gP#$|3&$g0$l^e~>nb=Kn<6o^W@ajxrU=-T zBR_sN_)&`gLD2pQWwzd5Le1!<^_TI&=Fh4DxBn3ID~=YsUU6qQcm`^RYL`;>;oph% zFNBvVeZ_@#%U(;;&BbzM1ZAIi@(6_l-Fhb${;fZ`HGy`|cj>zATPGzfy@vPkL%RLR z*FE;{EjJ;iAM+Uzwz+9{OuFb1)J@qNce7the_|E6|CSl=dQ`lyr_N8K-1brvia(SL^_i$9*(<`hz( zI=OGWR&91R1vNY)q;r{C?tilVBOvjCt^U&N1f5oddh1ljrlmeIE|sdwk25{+V@=i} ztE(W8$itorL@!A;<)HuVfrwBxQ|Gd4RzCZiu8$)K_0f|9=oYrD_KTai7j)nJAYam@ zLzJ<7mGlTWbALhG8KF7Rhq#1HQZ8d6)NYnb@!N@4+H^us~~pHFu%PkoP?3p!pm)Ti*WKMZYItu+~I!nA3T+TEH4fpIGu9y}r$ zD)TvGLcVPV5x=$Mm2@&$dUZK^YoYd3FhM%(?Ja#12Qh@bH!esmU~6y(GiI7rJ2Y=H z{ahp$9lKU(eJCkzndswG19~H6;S)yIi8o1E!IN&d@$$u)m8i=5rR+P)LoyRozzQb0 znH^C15*XT0ZF&L7!9?l##;SZ1807Jwi%tT2juf{J5yJDf?RG7nQRyTS&rtuY8Tf0c zgITXaZN#Y-xE`2vW<{osqSWR@?p%=v(6k~ai9ocG$;9H2p9qL;G!2MUoUBEaY-GQl zNQJ2!y1FFc)|i;yYOq?L;dgdYPXP3nL*u z%kwKpc~P#q@G)xZEw91YG4ML&Jc#7w*V!VZHXRsO|Mn}HJ?y=8ISDDYBq@y#Bd-r8 zY9lr@#$HAKCYwJtI6oNZJGPsSj-KywI{844I|=cLXsfeBIPT zLX&Ha*%Y+w$TN+7LIyaoH&AqV%m+AWQAtQzaydg$iiLOCB|S7qt}39hQz@lfDyLkc z+-FOqu=K?^9R^?oOL42~k@R@~DNee=t+OhuqmGl7fGM+HWB-KoJrkWkjF*!Dj95zH z%l%e$gk>S?hUF>=_R)~dr|28TSS^tW%TT8}M3L@&H&-iYRhGClV~1J>`<)tDA8DZotvbSSh4-p0%qpC z8h#vuEoJt{kW#%Zj%du_2CN`v6=s&;<*NWK>EJO|v@R~)fTh2--^mXe&4oxOy@R}E zSFPy*ngX&R&1d(~-7|60g_JXiu$rRkP)ipBb?>Y>jHcG}tEFA6u%&Nn(oGKagx2ms zv$Qzi9LOvE8-k_!V>5qm;Ui2}jF7Mggf0Q_Yp@S&oCKdJKJnacTJz z@~4)Pg>klGMbNHP=HMNt({O6oBdTU& zp!pZ$Um(>GiA3L&mY&fNEPO*}KZ;%Ea8FN_*-D>5~l{*h!#dlFnZyPC0(=r?9%E3{w0v(&9D4AkvR8Y>lwC zXU#Fk8%Ah{>OMKg>&)5~9|fP@?lJ)3V?U3bUU-D?xwlWMhlMVM{lsoykVnPgh$9 z{+oa(`R@sS`Yy*^PP9vzQ?Hmq_$|#& z(DQHUO`ABFfQgt@Y>ZW-5o zZ;{Zx*Mc`1b#5gX`=<~Q+$0Hwt8{eZ%6h+Cf}0nHa}4wYc#L+4rJOYJcvudIc}1CN zdBsouNIX3Qcbc}>tI-Y3<XrZR}%y0b}HqoDewX?~XVUCQw@O93xh0+*!* z)S1fVlSfQgZDe?)$pGez!pcwfMnmSzBEC!OVQ7&$0}bsASHBD^Bs*ZS4fW99SpW~C zvynXN0S^<|ia3DVN-7LC5bvTNE_L~16j_*H*+yJxfJM>UM)(lkV9s<5^OV-+J(NH(4}nPEy8@1(4z~VKSTG{@L2xx zBM0o6na2DW+@Wp74d_PyApX<~=q7p*wg7*Tuz>ye(^^@r>vFob3ig%vp46)Y^QC{2 z{646o-rlccpLUaWBhhrOw3}@CS%!2e*Gp>!++6|N-SO@!w`Y7!3ftL`4fGI)RgmT; zAxO)o@(kCO(%y0XPGgfm)801iQS9Q@{RJQqtt$0s(OGMMW{)HHA@bZBVA|LpQT(om>9|ms9_QIg=_+tjEr+A=OI? zo9L7Uq?q*6Of%e^WTZ#-I=i|SA94rHiQuf7XyZte%eun<2hm8*S zAMW(w8>rU$e@70pbmBsd1$@FXhTB;kI& z=pQoSG*kQZvqo{q9rb9x+QOy;-h4A1WB_;~gG1l3*6-tu{OcKyIE2k;kB`zTJ0r~Lp^b_2uKKO$c^W&eOhL8GNr zbr6#|OLgynN@vhDXCbxu5QA8Z64!}L5E}~DW?Ll)XNN1T3Gu9Udg9h62m&S0mr($< z%|qE22aEM5tiTVohD=oxNj>Fc4>h?)KL@G>#15&U@Vw*YF$FIuBm<@{{CQBgK;t7Ha0@yR`51UWBjxL92HuHw ztRUl|eCf|NV&`J5l#VxJSzy*1Kk18|F$cpBCv={2)v|T3P!D3RGNwq63#x)WL8h#8 zjvr}jEQG>zfpYO%!atGi?ikJ2kR4LrpSNj+gd%sbjgwpg)BJw0VUg#EuXs2eFfloe zV@|(h+!w5+FeNnm&pyQL9aVm)sw~`fET`KYS=S``f*qinfDBNR`Y(beb|H6`0Y4))r)8*x!?)(szI3v(Z0{Lm=V z^I>_-8A>vLMBYiJm%XVS3+P|~(VOs%*1HvG=L&SMUXxciImzHJYWA*$OO1CLw=s7B z!FK&}qfc;gR)jiy3r^N!{lkKwjUl1&^X@m#`YkKNqC+?<ODqhJxi`B)Pwv(!D!4nF>eqW{Yj>3mEox^>Kl-g&liP*96^P2UT^5g z@DQ{Qpo?kp31YiPuRnccH`m^6_@*?;PN8{I;&9~@oCIcTn?LImYN`h3X| z)a*sc%=`4w^VAmrn7OXh-?PqDe8&9?h1$Wfg4P2Tki=n}WKtIkU-x6UxP|NA)spek z^5u#W)Kh143C?9I&)woA5k++F-0v+2OzO@{%Y!uxxL^3Z=kTa;djwIWE~Etc=+IdW zX4dr6a3lk1a{BzI$F^eVSGeed0D~UAxg4KWy}8bzf>wl|QtI~=2_GcOtx`L(Z5Re&;EZfbK6`SL4mwMN1(oWImI89biMs#IP$~~egoIJgdLEER92d}YPo8F; zJiWcB6eui{Q13eQ1@D8-R$ds2Yy~}B`jY44po4ZbfHKFA)Dh_mLIVhV!)mylVd+U6Sc|#EvmbWL%2djet zvFnLMhP?xhW=JeAHJ*&g)e{md>7ta{*~rK)T$Z;uL$*cBhr6~dcQE%*DmJAu6%@nh zQNC+TU@tFV?v#Q}0Y0k+G;Kpa3P>nBQMaALMsAO>U8PM@>k1d#z}hdY$yNg7EAG`} zuGjE>wo?i*TMy>w_og{)fl+#&$vhRrw{SWP8Wc^C5`WTYoEE)oZrp4M21uFFRiWgX zv+Ne^E%b*->@E+^j&>(bF4`1{_1#wP$mOaM|MRrf4(zJ;xZ3_mZ0m~~kH-G?^oD-u z#g<3OYfE0rw5`=MRHJ1BhR*4T)6S;TOw)U$T8-?Un4xp-8>Y~$XFB&b=jT=A=Jsiv zz|BZU%OHQtVO@Jat@ABB_PxV_gy8F5BolT;vm9K;Cbih@&6z{9DKq+|?s4EW5I*!p zd3+aRY%QD?S42jHoZQ5+|v*I<59<{#4X!o*e&n!}ipSu-z=7PP|HHI+lcad4Pzvi|Z?|jCidWJ!C zxZA9#{KC7B=4nZQNW3;%g9d#eYS0vN$Oh5Z-rEY3Qpt0)CX zM4Mr9?pc+2=h=(Q7h1w)RE%L0Qav~8=HL@Yvh}GAezU+JXrkdS$UsVdw#!qO?w%Up z;DkcW5id6o0qJur+LDhv$|+Ij*_{*N>GY7PTrixpw0-o~xVbhiF0Z05S(oNOW+4r9 zE;|_snJWTPn9X{l2~VQL9?sUk#0rtVa}lU;g>^1OV~N|GiegcYuLv!yRU#w@#kPhX zPo1qZHMYsZ)i!*^TK>|Xl>yRjK?O`F3G;`pmtjvuRjHE!(rvUDGo!xJV2(e@+)BH} zX3U)KjkuX8I77lr6`S1u^fnnWiSv<``^uH~iE(Tkl1RCds}}HSCKqcHYZa=3ch(Bz z6sw%Zg{Hg*zFkDPrbKtCK8(IURL>@abzL9xdPbX!)Q`ene}r&-e;FvwvYx1`1EiJOJvYGR*qiDbdE#r5mhR#Wy7Kbj_};Y#6ZG|_ zXk)d@KOc+%l9_>JX>I`Cv-s6uerPfWtHRt2VOO%ph6$@%VV3FRDy30tJ$keD+#O8%t5JnPM+B<)&~hiI-3OUPuf!v7 z6DSA>y3`|tdLb}Y5P3Ti$iHXH6j6BQ&w7B_U!)Zj)!GaJ2-@>JR3Kw`EBFfw^is}T zkU(WB@#-{YKx9BL|If6$Lq6x=@4UePRK)H8_RJx(C+R(6B*mw7n3T=-{@}RMHa_Iu zzheCLFtj$3C$j1W=uLR^lzruVy%G9+bSZQ$ra<%aUfcH{8seJr<(3<{@WPbnTC#Aa zR8`?R#59R(8B2P`s0Y$^6AQm+Se_K**WhNr6O%G_Y#U^!WCqAqBJ@yrjv4noUTmg60ZG}HO@?uUQfcP( z1|&VkN(y-HW+4e+c9T~l@G5S;g`em=dv8|XA}y9Lb=A>qZ@=f=N1^9b=v10iCe90~4Qbyc?H3cBKujc8cad2PA zBU*J2#uf>BBg5OLT!kIju!pn|=nBd}1X=Y}inlw5Yh}&YQTQs97G#mz4UamJ! z2cQCCnTY+oJo=mo9GUknWz7o?hQ74W7(F;ZEiyrh`QE%;$I$nQI#M-pHrk{eVK1NB z?s;>a{Ot+9?*H0T)GBW-VeGwOifc5j1XI^(QLb0it>!n#C9f0}TFJi(nqxKiU#blr zY3f@jH_~?(qVyUbkHZC9F*$O;Pi=ROW%TzJ!4V8;d!v((0fHJ*;oi^0WhrB~?n%g1 zlyarbsnV5_v|w&c0K$#S3eY2w43@*_Nn2DbxhOw>aaML%H!BuvJTIFaZc-I;Y-+d8 z>*H3>S>?7=3lro$tqIk|R;dsqNG_|8qUPcRmEb6ybWfh^HO`9H(>B*UL0LMYCn^ij zM{uh}ic40Y51mzX%<7Rj$f}?VoA3tbO71G@p>KYo2Qv({_R&o}8K8?dA3^n>Tn^JE zfE%F(&u&NS!7TkA(&Y`FwXA6WW_~inv#>evsEcP^-W*H!s7wB-Cw}VmpL#02{Q5Wu z4oV4LfU-7ZkIdEyZuNwYf<8naz5ISy_^(_jcar9gOLTw9z;B5v_LgBi#W|61id}>Tw!fEl-VggF+_Wo1m270Y z>+|v(Tvh@Q2nG26pEma=x6%Lh`u`-+{jV4Kui26Q*A=vXGV=akxsqfhK*9c<0`&6^ L{Hd8;{(bsyh$&$8 literal 34258 zcmZs?Q;;Z4)3!Ud?U^;UZQHhO+qP}nwrv}0Y}@~O-Y;Sw?UU|^KDhI$?#QgVt1IQD zfI(0I001BW!VNgpBE~a;OyB?jWYhov(EmL(ax^h;Hc_z_9el*$GJ=YlBLku>b-+D_E2kfhuDHVxfQ zYknX~uL&P#*4n4sR)4Ej?M#|10{zAonIbOxWP_ z!@E?7U%sx#6!iTg@LQi|$&h5o%f1+>b^meRfH5VkS&{hjNZt65*8W?iFkx0hTf=fJ zfdLs~#gi7GDjH+sC+?(XdN<5e04p6l+%ocYoNR>$4K2)n4-Pk=pP$%}oeWG*JcIq7 zdx-!x#?4r$rH$!81gu07Iv}6UKehak@=J0E$;9dItt&3}=;23r&5Ug#YOcOe7%a~^ z9Pzo~1scSNxBw6gnuWuyglqyPSNu(Z{XApsxSKgOFKe({*C*{4wh@voZF7IW^?1bX zarf8EWTXfje!Xj{Vm@%hdq6ZWM~B!lm)=5}bb8CRm%$g1lL`1xjg@jT9#&{MwtYyk zfCe0w1lbg|Ny%cJN^af6g18+~I;vs*rZL=Lpdqlu#E?3Uu)X0Ijt!j4&@4935n7g( zI9is0F6dLEz%ErPG$J^T&|qEAq#c8rrU0hnv8S1nFzO88Y2l#9z7VqGxSoi3(Yp3&1j6jB zagVXUpbG642BL#{JUWENvA+!zDqE5?V6kG+ePdygeZ`V=+nX^1u*`8#Lfrlj0@zLV zI3{D@XJpS`M65e((tPZtaIJWY>1YT>n(IQp+BsxVK0I#soM1sQ=bU!j!rQdfx(P>;Cm+Rs3J3AzkZZmDt8 zMhN!BXgwK6Jhes$!qN2zzuepp!OoCJyG0&egy_)WwFY6G?M;qy$8 z}#2~jS9(hh>?4+gLU@(~E3_smwJRAXW59g(xlMd@>stJcL8(@DHAX2f zFI5Areiy`sRe)f(Xo@^{B}dAVI4%^1)2AYms#`aclbG^n;~X$O1nMSF;#n=E%C>sQ>c|HtT z;AX^=Zc@}hTmo}%svHJ~7_aYCsSmlpo^j<)=E}+A7)pumiU@Y_c$&ql#`Y`zBAa6MVrt-|itE#nhuuHr4EY*-{wiQt~!J=q0@ihYti4bW{7r;ujK zObzsiF-N(V&z6+x>PS{>x3(c!q~Urx$-(8feC*PRV6(bDL@DnJlecehjFQw@)`lcu z$E{5O?j_guo-u-0cvg;$#L}B>_~oy~y9*ACodfgXKse^m*A-?)p$)-(-mr(6uTIu% zuBW(QQrk5g4TWs0(x(iO?BK9pH>u>EFdk3xN3u&3O|IZIwf$Dr!NIS@zht=gq~!XN zGI^CT;c>M4NJS;XdK%3sTcIuIcNd32(~&Kx4GwCYqAGtUCIIxrn|S39Yjcbu=~Kt0 zodpmbEJP~MTqATmW=Cl(z=;b9mB57RpGTmT;xO?@7}b8GS3eBX6bykMv74*J`!bYQ z=D!C)kNL}x>gYVFfO0GEMU3PO(CxCZjLN0M&E=m=+#pp30zn9&N->T`fCvDrNeR_i z<+#o*4zPzFwiOCayXahim984e+9%PRQ^}i(UaG-=Q8Q_A%0lU&Cx1BI<9%`*!M6;4 zF-XgYf;zt>{6qQsnvI@PO_3% zk(#xP9C(7e%Zy6y>N*u$;fbZ{Uh2(cvn0Tk7fD{C)CpOf_D+%GAPZSy8KF^y4lp}z z(r0z`REYsJwE6KkQ`y^!fh#$X#9^y($Hw$NgV8cGfBH~^uyb3-jt`Aa;bSLYqZ{R+C1km|FNJGgS)&s=ekUmRvXnAaH+%sjI+?gX!{1Rp zYuJ!BjnHdJKFZ;n3K=kjwJIgIo_832cCnRxv%8ZGjgdXMSE|{6#O6x(RJDR?8|>u~ z{K$kJxB4}2Oz3FE!4?$jE1b-^?s)_Yr7mjR*0A9 z>y7pJq21z@T~af=ZR7vI416ykJ4dN7!5HMg1kZ_(H@z+O{Km{T?Dxl}V{l?Z?ydE2 z%o)zcqM-bGIz?zV{Nf4*o3Z&Rp9b;(5h}bb^8)Y|f%4{+F)VWrG1*n;h(bSXtve5G zdtl0;-5B{QmOTZNJ@Cl*OcA_$2N77<|Dkg?EsHL*AnrNxBp4+~G*^p9wJ>PAP~qMC z1LINGnELLuuiU#%tE&qoj@nSI6K|{?+2o<_-QZO}ACtWYE$!`5l@3u*yJ*<}s_fnI zSWfQVhu;2X8PtAf&YnZ{LR1DWClpORwy1yHRY%=;+$DSo0w zi;(y3Pv9I8Ozap1kHMs~0_CK{Vva{N;BloX$P{$Rmxzs1D|=ZB~GK zcJn}3+=o_&kJAa!@tv;^&Y2h&p8^yny2YCX1}^`V_|LnaM4)$cYiUy4s$GP z8XV%ew-w^GDMP#hQtWIYsfd<`(YD9fxT0a^oPJCK7*9LV$Jy8WNX*BLMZvLlgC!Yk zaHzpQxuR2B4BPR|Hy$z^G6iB!uyflq2l1~C0`9R+ZowH@J#@WsjfVy8h!l9%OPmf} z`t7^-;I*wE!rxBQ%C1tS-h;ZhfPbn|f00)nz_YkNbS(o7`-~L`nO{Sw@4g(PHdc0W ze3QDI^jKVL7m%JNu#gz&T==w7!RK~FN%lUBztiv|@29dXyt5wdZm4op6p|}-K6cGw z%6B&$F^^?FwJx}}dPvdx_)gf|O`M>Gg>V=Q-(@WgM9Kp3=G{!Hubnkq5m}hE=f2WF zKFzM(?yYSLG)f5jM@XaKZ{dBDu^cOvFriWxXX15^ z9y+rEUfhHNxUD_v!131w>*YulDjy@So4@rkC`ggz_z^H1RAQH*`ykiNRJ5o%P6jhF zg~WqtGPW4j$u~F zltSlFkwOeZ$|S+`VEl^BLeJfh7`HBPcNZ{uq?fsux>TL&ceuSgo58JKUSGHAMj^Z> zAebwxTD&hYb%%|&ZdUC99=BC3Rabeq^9`*wMb}@V``4 zC#uc?nI+ZIP?cgEL@43gl8C>p^*RofPgtc+(epqRdxzB@9WqB}Xq*U5sqHMBI^}APmr>xXf?v1Z;5oKNe8Goe%oZQU2gDb6lqd82N zxa}XX?fvT3_Bc0@c^WLq4%?hc)nu7{fWO9)c-N#Zwos?>n?j#J@$LWp1(g5)oayX8 zXWFh=({1Mp0I+TZ3V`^}nc5gw*eaXY*jxYer~mV$S2|irTdj${dzIht)f+X7(kbku z?qzcm6)x6f4mF3yJiBiLhnfDw8~OY`wP3 z^Z9S@d%rS?vp-DFspg<_cv5Cl)LX@I_&k)7v}*RS=;k4-8zf(9x%pCbx+yN_L@I!> z)n|=Bc<<)OBd@_Xu$nf6=>=1MrS~6vvnS2~bh>8kH}J{D2Hm8G{!$@dYO8hfU_R-H zaJ)%C+8~eCm}J3EYx7bE%y5hnsf*rC5lL5lsw$WULsx0rJVa0MBlFnl{M_6p)hzBPUi4J#G*R{ju6+WMyqm$ozFIM4H4H^4pLB;IPsXrCpVUu^+-c+jibh&$ z>-K{zk>gLLE=Rr%B0EO<-QlMQuB^pTph zRv!h|%>it- z^1+nvu34=_=PmizMHoP zR?D4rdU!NS&r_cCk}ta%#EBeG=Gl0sT(-ZV zhD;5dw&oH1=G!fE?D7?L-Wh7RUU?;OHo@tvy%7*VWd$ghYC*ULTP<4h<-7SfSZX;Z z13G?MCFA-_Eb*7;I>y?LMQ(WfTBOmM(5r{=ds`lBbVl~ zzZG~%D4-wjXN)_g;a#%n>LRi3qYT#|ZYe`~D}K%hu7>3$vLz^>7-E?4_@t3mrUS(KYi)_*tr zn@o)DPeUegXMy(1KzlW^zqQZ9=E$L%JGZw_}#Vy8eK@_O8PqH3f2EgmIND1@c1zb;ms8 zDkZs$C>g7*z-TO?^4R+W`uJI@SwRi#91ZPovv127v}gSb<%Hdy^)Hmt|Ak7;cWV>w z?y7X31=*(g)2`*+t_2>}MFQh?DZFoM1MGJBv~L?R&_l->G>jJ9MFZr9Gku0^-xl)M z_Ho}9ALpi(e*5|#R}bv=^*=6}|Kk!vxQQj$zJ_e)60~=Fvv-4oa}&e3nT;6S*#Ntl zJs;XZ4D!;m27{Cbxz|OI1=P)hGmDHRMTAdIP)>5RpHA8b70`2J3fVd=%AF*D`K-k# zi|`^$fVcxsY%&i{YTyTXUtf{C)(X()M2jZ)h0s`~S*#|@GTWhD_@FV?6j7=H>QE)f zw5EXojps|T0W~~VrBAd24U=mJx{sz}UrDA~r#yw~4Jf8UnC^rlHd|QsSc@o{44k)j zo?~X#YxM_acuCvx>qK9h2v$xp|u$Swt&%YFn+l1wO5vzq*A|$}-mt&V#>RrtURnX{s{*Ys z+ItV&T5UG-ohx&3O?c`N!MZFa zGfz3N;5?{}L6PnN(^NqF)sGYw9^dL)d`+(5V+&Bi^D44m@c^3*V& zu6=2LAB3K!iZ^}ysGV0JR~?KiG01JVfBLrgz@M}RpAG}FP@5X!xnNv}KqUW-k9&+2 z7{)wZNRJVsNf>~ zz2l!FhXLF0fF3%QpkWjcu96^9MT5UqjRx$w)kN4qJI>4+PTUCTsn_`c|CsE35@klf zKi8ipdi-}#{=F$%xf_6&f$Ir|`dde@hjx84om}HT9#~h=Q%V0SQchV#X2^FN&Kurt z$p^$l>m@lOKx>@$3KPmy)<3KV;{RbyCH=!9`421SA68ITlF>h`n}1ldotzW@`-Ey_ z8AOVm0PDFo;I-A@N6cWH?m-uZV)*Kz=WqRNHo&s~$Xx!9Y~?>PwExIt|0A3EADPqt z$g++9bda&AT0|y(gtxzm#E^C1o6e2Xfv!xRFUZW9g&nJ2ZrDFv%S~PugpMCO5JT2G zEghT97rJfgq4=g0z08<9R_I?@fX4hdI4R7`RX$}g`TzNqwfM-qY{jIkpIPL;_Q~2h zZue{Q@~nzCH@6X*1$SLlAzvHR?9+H;epyHXU$dIVo0|uTYv2eiWrVfaQu^q@%$#Ix z7T7GPO=o2m_{Le7{}9{3)uw0U{66vamfpY?i?f*}y|zh<9@@W-NijLQNU^fhESfVj z4_f7QHo9pfb&s8GV2!b`*(!y6F}1onZl1bKE6wz|w~ag!eqr+ChKoM$kx z!l7w>&unhdLBb1bV^K{ks#2+~IWJ*NdwN|*N|vdy4HSFF@mk7wX|*Xew0kLSy0(e; zte`5rmXYTZYi|2-@B_z;u2$`P#}F*FjxCyCwM$}cliEGLV;!4pac0?4^1?f46=**L zIho_Z%Iu3q?;BGkQP*w|)kR}!10*VnX|{=*{&VQ4;1a-V zAX%7l0?t0?*5K9~VuXy}m9@TK>8CiDQVAhZ13cYE4tH-UAua?skQ6aj7QqcX~RrL3#tj!9-l_-=q+?l(6mK! z)3ln&g#0#O&2S}62~`MDV+tRDo(A^pIW?I?J(G7I81E5BF-3qRz7tK#HJ4 zojr2uReZ0C$Vy~dz~6ARozSydk>eYmgzawsf}Qy? z?8&D#mm);XpJ!ZMP=PZa|0sdVGT7j#lMtj^?1{T8{n5tyZ>!&u@tih@nr7LL0Z1hCL?*wbz8m1QA^UAyi@AImKRl5Kj$vY@}kT4J6Y=s9h;q4-Hr} z7`oK;>%}(XVv=UMxep;87>+{?Ihns<6ry|IRhE<=mBda8-Jih~qT9f`?4k5fzad{{ zAyBitdU+|XEvD z6V7F!4-RCwhk4JU)G0N%e9TQgeLIFIz*)-#nLKEmbCim#D9c7!J#73-9@yn!!`AXD z&bn3kRdDbwE8*I8R*M)eVDvA$J6DT)#+ty2$a}pq%QU(v$+Bljz+haA^B70F*ES1! z(&j-+OEy9yjPWl*tBGb(Y~&P-#|D)uE@%TYn}D75ie$1w*$rVJeX*Xf-i)SrTr6&< z()dRt3|a-r^^O(LbQfG@_Q!BO0XE;GU5|^%wGG(f=Nmb`KNGaE^7o?FW{UB2B_}H8 zW|qqti_StL2=14S;ud@K#p!Trb72p@bURZnf!cSaxL2D$F`UJE1`OQi!^07aEqtjZZz&k zNu&|_$x#6k7Kz>|BGg#WYQuD^z9q>tcTNg3L)bvsQNDU2fhP+uPgF$H9FXZlhy3q9 zs$nntpHODt@^R8@LwFj&jK}D0Hb84_fng2is&4@<$(+%5z?q@T!@@|2yPXj-4h)kK zm__diwVmR{w;cG@S5+Q-!qlL3iB{J|bMe&sRSF2RDsK&r&Qq_>T4{(@;9+*|aL0B? z(Aovl@x%;lt|~r9cMDFkub9Q_MZ-M93dDdqF0F6^4H5+5yB@6=eU*BLFK*Ln;_*+a z1T3zSEQG!tySZPYo$PE06ZqtznZlF%meBTvBrWy*D?U(SNhk3bX#?h&g1C3(BQmY$cHor z;fSz$>wAnZ0B^NfXu*pp6!ih+jr#%bbe^)&Yvfl`iR!!~b&?mltdw^74i!9Mrv_z5 zqFA5WRuxekXo@n5x*;}bkFBx*7!Ng0$VsJFS`&#R1(;Ro00dS;TEMwV_s81+hk3bcJO!LrmEvK1rj(8cLX9(tvJ)oAyosTq z4ZNUguyM<^HrO-z$6l)k0B!rs$vMRZ(!qq4(v5i;w&2D5-3#??Eq38Q@9?p-3;Cm# zxn8nj0*{NIAN%fac`LnFsKpfs`mV}FdKGql6R*nfvI8*9`J|_RhOVq?)?& z?75lV?|yv!)=l~qNl%znGlB2XJgU16OEfLaP{;nVIW!v}BiD*7Oub!8ab?38c^0!k zsx5Vzx5ZT-1`UaZNQCxDS^~mk?dZOf?SkR%D+LG9u<4urY`}dvoLgK>giJGV@DyiN zY$$TgLXwBvnEmeFO%I{)Af(`+v9isqa=og8Av{(Kq`65?W3`!JBO}A2=;QSlw9k4L z>OuzT7uhRDROqquwa)+uDD@>}v=2e>OG9C85ybEm7>O zku$5i!t|GP5WjGTL4HL~ys&Av=i+fK(`|N{G3^qUG%Xc1Cn2_E61=$iEVR>(6>ZZi zIOnvJtvf#F)T){+bBUtRr8Ax1Iyk?zoHG<%=qL>dOscF{Xz?e$Jid~oK0WuaW` zho>)o`*W1Qavn_psI-sv1w|u0MPSTsJtJ*D{OQn#2Fa#=#MLV<3vK&@Roclh5&p8M zUnabpM7ojCk|?ip0S;DplAx9ZPy#YPIn;v26DbjerLGbnz%Vq_#YOy8O66!oL3=!! zZHbRG_>eL7%tg_TqYL+Ylh&3qDoN05IyaKWrY^6v{(MB{po^s|$rFC(`oyBEooI_G z-CN&Hgmq>|S2vYJ2K<%0(3sudM5MlQ0al;F&|ccqFK!~3=XTeqv6tI>!fRmjvb7Py zfavB&sQVhIaRR^~%m2;`!mS0&uoMDx!(7anFw|zHGk;>hn{>=)eJZ&EH{Hy^gEX~HJNZj^0-7_L>H$){ zoz>Q@J}_@krMD9b-Kx9SFxYrb@G57KQJSjCPZA1Weysu?o*77+*uLqClHRJ6Hj2$l zLDNC7J!&(yEV|~v;OlqE-RYNy8co;k1rM$12PV@Nf9ydpkun%T9b9x3N0*!0Uiq1) zbH~rQ%jYiz{UeamJ5S}d$E2_kuPgIwlshw<;fP;|(O9P1eSAH{Us)E6uU=pL@y2g@ zoe&BSG$T<{y3U^IAJVe8BB>^V zuP2wFKw!W-skrW8fCuzwYRNLEw|PVFgI9*j!htCD^#M2s*^mB82$4<1u-yoD-83hi z>4Ie(sBHQ1{efXR_rd9>+1v{+L)&)pS(-D@+H0aDPW}ugy4V)G2+ScXL-1(hJ8Ivl z*<$YK{>y2^L9Eq0fu-w1gk7Y@Ys8TFt)$_#E>@khHEWtwiebX1)jk+gjsYbWo*e=G z$Q;ELKo}s;<402^ZnSOxf?_|-D;_(2)wcVKLe_mM%S09hivpTJGH9S)7w<4PDMkgz zo8b1`N7Had%^gaNYS!?Wmy?osr|Jq1uS523bVj-q7P|=!I*|;i5sPzJ10=7SXO2{V z|1H06ZC>3PJR|=&usAKk{_H|TcEYw#+`|^XudXh zSa^$Z9lbBv|^1@v@~=6x?WsjpCY~*ZZqj=((wpk!c3X% zw61$5Y=1t=WwB4}4$tvae-1?qYhbdF4 zoEuDyra!EExx`mWKBv#^Wvi56s7PdMwAf~U{(v!eS7fp`E+mBd@O8$@%_sZABSiu( zIqilMR$`?@CwS7t;^44bMGNZ#et(T0155_{bw;Q0>gwp!Tlgd8b;xfTIJP>LjCvEC zeWTN{P?C|JTM&lE68%3Twj<$kmQ(zu>P&jCdn z+;=KYEJqGh9s2S)e?rFSM*6tf;;-KpLC?CYRgCIpP!c+1=bM$v_<)H)t0QyH$*7Z? zS&oB8MYBFdox*ua;=5CwE+Pq1)%pqSV0)@B;vBusN~P_o*mPGEztX)SQgzi_^|m%{ zP1?G2l&0>uke2cqA@YjgxKdL14)hs;cAy@usm5yw)Y7h12X0R~k+8?Hv$D+Jo(tDD`$i#mH(f!9($3@>Du1*W)&}2BkbT~jbrN~o z8kI3t^yA75MeuZWdA>XKm-FyBxtFa@@53u|=Kz0qeb9h6J|!U8*Nal_ks_sLqc|gW z=R}6e8zfMU;fcuKO}(rsg$?v*hx4h+a!{+p z3s+;HOV5)+4k~NH%tGt40JYlTrp2c{ucI%$h)B33%F<;K}2KW8*zQj>U8bODi{f=DtiIsrpUZD1YK z9-W*vh>KRekkjjMXY@8Uc2xxFlQVf}$j{k?z6x)zsVU2aMBR`hl>-{j85C?_$aB+O z%9LskQA)aHIW!0rvAM#jTFGCpCX0M9dj~S+k}>NKRO7P{BH?uN({mSVEgHTwZ=ZnL zmEX+?!Vr1!(sY^;jv>5Qia@y1e3}u6;ZV2*h`EOH?y17;V*dWdW+7k#b*-)_vwrK4 z;v-r0Fk(fAQtNy~I&X1xY=NS_M$MP=zDWxisDLT1b3>gr8Y%U@4l7+pT1bmaTZjgZ zk*RwhZIng;L`u+}p)!%mi(sy5j7QB@E)H-ct!+tAKvIGmel*)60^ui2%3Z0^Km@Xj zk#9HaR=Ik}dF`n|9%bZmdKU4egl?_1rjo--WA+M!(87n;~0>~ zi57Fqn8bJ%GkOE>hb%dj@+IlQ<*AQ*IREf!nLPNDM#K=qWR9Q$I6cjwm!d+~MpHFu zMRL5B$DU~|XU3ALoKn7ZAKHx`V330b2EHeHaD|-M-8$@woe={s%hO(sfIq9?Lr*bC zPPoyR5;3U4SV+1?a;e}$kWr!8aAb&k@k|UI;0(rS4>DgldU8X@Jv10yBJVUC+itOw ztK|a6>Or-{y}e01oT3G57i|x3I(SWQMTlx1Qvq#EfHJKGt&$4i1#{)dgvVxbo{@Z{_`jg-(}LL9ea4N;j0bUYjqa=L@`uJXOpBtl3@~}qGGT@AZ2WE z5{V*{%VqJ(icLI%*x_hG;%2XEh)}gm^)Nv_JurS#8ZFvK&H(=5JUM5uch6x_d;zuy zU7hpSulqz|10hiSg9cGBAF|(w1CX7qOUH7R(RMNBJyxw;bk=bIQLqxh5B`4EFEffllvWOyIuuxUD~k$ z$q-(J!~m5HSpprCn56g<_Gn;yF6lfWPq6QZj|4N1Xxrv7I;)H%8FPH| zxs#{r3HFD}$0?_raCg}e_rcI9{=ra_6_!GdV2%RTV!>>d4?m*6+y^Tl-fL@B(4DI% zhiJ$`yMvENmy-GBVuGj;5{a4DCkk-2b;G-}KEo^ZCQ&~`;Q=Zqp=7+orQif?%(^@y%tHof-FA9F6`PRY;5LRY)vaXVvk-f^B=U1eS88{`!+FT;-5SobmRG)Q@C!@CXLJ_#EWQBE}l1h zh1XeJ&gO)!dv}zcolV1IP5RB6I6+?<+&EF-cxHB&8712O%mb+fRWk(V)=*iHrM8jG z;zd}!)^*W@+qM0czSXz9-ym{61BaR(5-WXkizxaA&&?r5y&D5q`!dPq20W>GXf+g# zy{}3eppTmu0XcnS!_L)Z$Gs)^UMkq{lGHL);#Lefn*H$;z%q^QQzQ1u^b3XIR0vCl%z$kD+JK+@?xg_#6mlK(-wC^Nb z4t#6a-7lWfLYJ_N{w6!&`tM`dlgmaCOS)OCUA>TeGs|@Y;RccjDPcb*rU+0^+YrGJ}zwc@0Sk+%eP$1vHm>}PO(e3^cg5&$#jrIXyioJg0hd)IW!NXw;2!aqHQNA9d3&h0PIL6v)CNU5JUNS@0r7%xgw#hN=pyBWhGYT?eqqr#c1Vqo1glA zNI?bG8ge^N$b2_>2g-xX>BWvHFrReDt1%a-382QBZE?+{RX`1hqHq28YF)vCr!Vl@u+Z?22%#FE;(IFSBLqU$ga2E!B%(| zPNr|YpLw)!5ug`25M2|Qbsx2(=O`jGsen$~_FilG(?F#KBlIU}xeKuuFv)eJvvRwz zh9l`-2LX$V))S?!wLpnrvqzv*?8zczRyYY!bNSdyNH!3`lAXf|>ouC~Cokd|wsTq@ z@{Na@$$D6+K3hKV3%lltO)|EZYy#jA1%e5(&-3d%r$Fz_E5PfBzk;q42&;s|*CO@M z5O5*7Dc=tdMt}G_D~ajb&B90E^0pmk83y04lcHa*B(~?4Qip1zPW>*Ev&`#Dr78A; zXhk{xH~C^J2>gEi8!YfUkAqP#`CW&u#BlZW7L|g;(hq6Xzm~F>d6_Di#SynxGHrP~ z>7y%(Q$o!VYlHUUhe@p2=mq+$W6XWI@;(T4Q$~-;cK5>rq8?F+R>HEpFTuXo? zLNj|8#ABqJIZ9;mlfpZS{M=}jaL2~>)`Dhn7-=P1nAwNJv8!E^t0JS{T2?GQAVZ{h z$0m~SJW@JeH1E3^L;F+EfaS{dfWSIMygtRqOFlggM585#P-MQKSDi$K1=5b81pGW{b^hMKT?oTs z>iw12x#D$vS44|z>zXZEyH&pcY~WD7kkQiphv(nnN-eD5{6TasC@uvD(p9LjcvXHY z2dPZAK-R))UYf(N67n$5QLHfXH~~YBbX=4guK!v|Aa*cz_G4Z%fiPvk#~u+cq*OCM^)$_IuT=b z#RrJNTm}y3Nrooe4`9IJhQFQYBl^3n5~}>u@|jpmWtivROZd?O7A1_>_trmp)=VDy zCG^QRgTTq2EE$)$%#d>ufaKDF5e zkk_uob0UPr9imY0w5D^nrVxr4jN*Ov-#TCj+=vw2s23ra(r@ZATgGM-hU`xcZ~OYx zd$s>=+Pq}&GK7G*Oi9<4b5zQ{k7mn{+u{ zc5`go5-u^nW)Imu%GmwNJg(Z@vU7Re%w`4MpmYyT^QTCi2z~>*O?yNuROBzvokthe zW$|gR`KDtrsVs5GU1bc4dTbY=h-~3S4)ryPnJv!Ygwd{_5spV$a2T9%@4{&J@%3)4 zho2fcCE?&E*hJ8HxcPlW;GusVQ~l7HNZxBiKu@fu7X1?1*t_pJ|Kf1m<6xwx_DGY- z$1XKDa93-km{=K4h)TAUh)&!XMD1iHuwe+h`0*Z7lHAC=3^%%tJ|-OxW}Ny-O#~Hh z{S~j*HR2DXH6;w<1kYK!-eL2a*#&Hu_L_}d@;>a{u)TTR1lM_;*}XQnjbFX)d=RX% zfRns9BiG>gd7z%%Ls1xJKN060Vn;wQ-pO??4vmBwGa9xlF1Zvqo!Q^D?b_MqV+V<= z|Mo2NIJ3QF-P#$-xv6RLs^9Zfx*eZ>MJyXl_Ood)VBYHLq7NMEImx=Y!M?NG`kWc^ zp|5?>!++VV^Wv&|wSB$BmDyD&s<=nVk+8&A`17*ITD&T25lzj5jdsC|Wd7B#Z#7 z3p!^P!YIr#bf>ZXaSEBGQ0*V8vp7vkl}0QV6$_JNcQXTUmW*ke1#2zr3*+}NIhYwl z7V~y^Zu~J{LTuTrta1_$yIKspdb}b4W{Z85QW>^_CHb0dr|u{GLj zHG77Hjgu0}I~kWWI=o9`BQ+t)RFQLJuqa6egXir-WVlwkC~YZaU}ka6uuUpMdW3|zmhC1so6&uw$&SHIpbDQM*`ieR2 zsr&t%x%x)&bGHRoJS&H4)AzZ^LN0f%pcxi~GJ7HCr4&FCcc45~!l>cPqSVGANdXe7 z{1GV7gAiz~3LGk#h1~M>R0;;{k{$;)q5%(oV=pCPZBKqzB%Z!*8o_S(Z6kPvVxsz&{+KBh~<@@&5L zmEcWO?Mw$pjB1H`3L|(*Vb_g9l}=;urz6myiv++Wo92lg>B%h|P`7c}qdQZ?Hi8L2 zPoDu?g9-2+9~GMe+HBpKp{8%!7caOkI$I42SA3KkLIxMPmyZ`k-EH7&&IClF@O$d` z^(Ci4-19`u@1)~Cu4+5HeP8P*!0EY6ssl+Kbevg68k+|7^OOZr;pe{$tGQBF30G?Z zLG97~>hweBm`^s$kIlIUIpykAVPip-6_#5tfMsuMQ{LXbb4q2>d@jBcQOqOf8V+H1 z69!st!sz#dn+=i+kR#kBzlUVZ9vsQJy z)Iqo&sZ6D)CSLrKP5`R4B{zgXst@!7n7lt2=E;`pw*-mX=S9Y*I5+!FmNpBfU6SZu zi?5Z@6wYc>tQOn=l2QC`EqYkpUNkp#NT&*+_2+9am|iT@(WGKfWXf=n7NMMxlw|(( zD2L0H+ZV(PRNFG6?oj4LL8fA_tUXba*F}0DkXBoSf9l@5#NCn9$a`5p{abfibS182 zmSEmbp3@~?aj9Yn?MX&%#oBQ)uykR$05)Y4RgBymD@IOsoS9NDx5{E^Ss%Z+(E#*4 zrPJWfK2%JE=-Aedh%Tkw*zMOdAnob|mo)1_$9Dka%13w1;bJyth9lg`>wKyBVJKgv z=JrS=WW2NmgGxQR1SeI3ouEMi-mhFr*@fZV+4OITtp=S?x~-$c1r61)Cmb2`zOgte z>T6L|JO1-A9CcnutwB{;%Q7;h+Kk?5Zy#V)d&Opdqe>=Rrmr(@UVaT^m6SP1itdaU zYw<^xO3jL=%p$0m!fVZHy=IYWjX{aJN_RnUB)K@)zW%_XWG%&)b!gE1=7?;oK^#{X z95KWgAKyb={=|>mt3pMv2=8MM?B;Y|g>IB=Po|HeH+P^xwv-34V4xzI z;RAL7XHl>9q32E9dQ#_Hu3q`s<#_lXJexE0IozjY-aFOV5|Ut5?cYE_oF~Ry4s~#@ zRnGd=fEKviVNUXEUbJ`?kwkAV=2E?Vqlm)rEMZX5riiW$SC7zhg&=C?8{SKeRI?NbWN7}oqpmkV5 z%}F!ijgZ=M?2&C=_3iHmvq;sy9d^fAdc*U;KK`s88YuO6XyUiZ7YMX(j%;DK(+r&A z5iHvE1di+yoH9MRvg?v(t?b#n<1>9_gbl8INxk#sltIIXYq772o6Mpu3>qm)dypCX zs)d_c-Dg~S%elRT?ni4^V!!;%dmQ(v8s}orRq^Y_@L^pbiaPOe*bW?I;R?qq1(1J# zEkCnKcmo^6bcom_(k)O2R-=E)5=)m7*H|%Ck-k)ae3*DASI7Q9*!-8plU( z#mV@$smQ9*k1Nv^#EscM(uVAZGK-f1Nv%X{6o%4I<%>r4mm6~AuY^Xa4r_51#_5omTv25SNpeyp)W`}-TxW8ENR2L|w9Yn+fQ_b3 zb5daNs z5qpE8k!`8jX4)uK+=W!37KJ`RLALieDxit0P!8O9Mo?(v?SW0nwd5D@cPPHy*;<~H z1KO?V-ip4^jN}NK*!S5u8fhMUu+42B{AmRDavTGCcto)iL=RQI>Us;?AQ=B zxjvzhOi2>j0u8t#*{2yKRHDXJ0@rkm#WdF+uq`JI&R*9_{z}{Pzz8q!PL?*%p@C>V zFfIku1~Q{<%l80jY}ga@AW3qh8CctvS`+LeiNu1dZOnvX+l!3I2G#g%;gT2I!;s$z z)#4rLIj1K4QAcLACc2gBJ7etivTritO}&k$*1z8Fw7!lK*->xf&LIV*WI5iYGNavG zqN=m{+EZwobQfArD9&PLoZt$t+ENPUgsLfp2cacVGEQV^`7~<;9pW(^9*A+>5DQdJk%_mf<^gnEf@#mhN@6-Y)5U@^2h_}ZDi3ZMo^yBPkOu{z%i>F!)R5n}Ybbz(~{%qv5;63l_`OOE=dxZ}FLDQ8w=54}8j;@R9LF zNgEM$EXpz&Sq)KjK17XBx-4P3_l_gwE%|&`r_q$_{+Haz(sU4>_- zHF&cw%8d>972o>jpcZ_`tFUH%4Sj*|M;I$Xb?5<2gep71q4vO)`1;UbR+4JM1S5&Z z|FnbEJX8#%8+8LK$?}d(O{A4Xbpz=EEEE@P6fj8H>UsT`&?9y%_eY?hr7drXzriW% zh^g7S{aM@9-Wm6dCQT_@=%J3NKP3`QX$#?GF|pkdAJb@I7PTDcv2rMByHXxKww9pT z%08ey$5No$V8{IanX9ZD6M^6*x?JO9Q(}8Ui47G^A=VwuKRGpbkoFKOW`gk66Q$XPf;B@VOp^|xz!L1l$O$kC z1Tr}ecASps0_D6GI^6+!`OtZgv$R&_w`$k2U(iW$+cS^DM8tO77Zw`=zH^h`!#V$( zaVh4L=w&Wd;lr8fL-6NFGo=%TN^P$j32F)pwW@ze<-H4uP!TJFCjEF1snoZsa?6wT z45i@MeG0S8-j};6X`TIbDulZUc2ap4k^D{PvzD3v*_vh{6M51^u6Q~`XfnT&RG+nX z`BT31ZPH`&fAm~Ct@}Fpy*_k~A=_$RQ@SGad~bQn*?`}7l92PbN}TfmM% z{z)$UdP?_`9j>H)4xRUxR|@2JoKrkqfEZE+k<;fL&VTHGV2@MzKCM1J^sa7r3ac^k z6Q>?9HfITIEn4Oo1O31bpa(!!sJJ=y7R?wM#oZY8aF=7N6Dj46ipGa>YX6Kd=$#?kr*gw|jtEngK9nabx0l-PI+{{701+!47G=3DFLd{VRp={Xc!v$&k+~BTcjuiV_-us{gNESQ{_$7ekj?V*XBi%hDXf_xIJJh&fiTsNVwDu7?XhlH zjO@`1Tm9BN@cV`@{0uf~cuuVj;4h#ZF#fcFpY(1Ivlu!^ER1=z9D6@jvq7G7 zYlY8*%n}HE^meN+P5sFAz16WerElSJNv$7tFVxIKu5rp-=F-yF*$$#a5YrN%gHtb& z``cj@~<=n$w;i-~>(X_dS0bQfK~-#cBf9?rV+0zE?P&n1TlhE^~|l?{-8@ z;BcnIaK9GNngOAL2t>wjV0H*9d>uZZet4}sZgU2|w~5FA!h^v)0`Z5*`xYKtE+2Lz z;rZl)O9zmy`Hk-Y1z{+07@ka-(e$S85a^$a?aq^#*I4-|3X!*4@OoPAYRF5#qT!-+ zlAhMX;kgFHIaG$YTx26h273ZwZc zWJQP+tM}c6iUL)8)vqNj(HYVjD)_AFyY(PQka^-^GF@N5%NyT@Q)OR^R z2Qmlh@ccZ@PSM|;_8d7C&ZBDm#b_h+GLPDL{pZ#-=J?^k81}!X$1}b=n|tz~+_XO} zLgVA1EMdm{q@IrYgWNBDfjz!waWDxdK5NsI z7%v`PB9oC?_#u7jsv_xOpP)=)w8QEaNLf#dzpo3a7E-ds{zi5DOd(#S6TrS-G2*pY z?&yc)l-6Og+kNrCcqZBEf-eVV_}|#w)p;>uwiUijCTtF)T9ugsw`On-tWDC8TsbPENU9kNvA$oHiT>L_ zkEAqQMP}D0micbibuH~%V_loZV4Y#i9)4%W8+4U{A)~!rH8v*0)@X@gpIJAwhLZj( z8Cx(J2cdy<`m8fY3@;}l26u9v; zTv)jw(-u#;ESc9FDuChxRrWXAPhKdkBl%LNxut2_caXvwdc_4{jxjt=LF?(p0+fJb zoq*j0=umV63SEhkA{Bi!VMWWz!Rl8G$u6wMqB}q}r3mG^VQLaN%Uy7d#Gp;>SWj4Z z=i*nIU35rU>j*J9?9L%{uCJ%emIy|3=f*7h# zsl`9jsDTISyv8hR!kjfo2 z21|CIfqxtx3Rd39N3Nv@OJ%>sUbyO%#7NqBQ~g*iyuXP$al!HY>cRF+jlO|rc}3FQ z=6sLXQ>_IVgLL`Zf?L2n+c13Kb*oZOz42@>#Tz*@X&*3gCdAY=s=vTEG9rU_fx%f+ zg(&;^RROPk0OJp&pUPr-uVzzZ`!e&QZ!&$Q+tLaTH~IHODe>bpS`5R6vBkn3)BTE? zPMwqXf-EStXZUMJG;bhpUYOAQrk%$yEDz6Mp3OXsC zuc_D;j5;yTAaZbIER~o0(mD=^SzoETy$dPgT5sE~EaZBJID#tTO5VdI;u{QnC`b7O zU>>?ts_G|(6nci~2XVX+#WRgF#M;l1CPU;20>TyXz+2DDmB%wkiO62if;vSs<-X8g z;NPkl^HAKBLA3{W+MU%VAG#RE@E3|56TAUWMfGF6JCpM#Ug$Z9qZ^gu_=Df`;w3p> zETYU3kAl2Ak^BW;g53p`1LWA1%TTD)Me~L|ptNe0#jo#M^Eabd&a#T) ztnC1N^=UkG5uPoX&o1##)ZRneNmkZbvc{A}?A9IF55}~@5yh%s(ho8KD*-!>2cNgC z5FlJ*!lI~zm(Hg%sNVwJI+qQZ%yLuhgnQPsbtPD_DodlC$dM=JU4HQKD zc7k~Y&X_n>@O1_@_aGvVa!)0xF*HDFl{$a|r6Hg|NhByh%AY(+0Cgw1B0PYt`FlrB z0Q*RqPAE3A40r%@cohlXp_4%w!*hlK5F4YQOQ9^Rd zTDa3zE5Y8k0N*^tI0W)_Bj8z_1zh(z{H;*`wD`>~x_*OBD5t~}QGh1mk|#BEz(Wrm zu?anEO*PTKOTHyg80u7u)O~W>5;^$x#vIqH5YnYq8h2z_WQrA0ulJOspG`7C@YcK-wx-Cf){^_+D z9)FyJQJQ$8037H;ivP73f%wrnS3tHQwFg@l+2Tv2yKJeisN#Pn(`~Z5%MAI)s$hTv z7DtcQu&&k?Url3}giBfTvw)D5ew&BV6ya51W6M_#`%@ZX!%{+PokVG9fIU4sz-A&l zwj5;hj1IVYY30$5V_md*TimE-YHfyBA9H7f_P3!vCd4M$GlYd|H3Qqa=>8JN0K2Au z2irdB%tv&OOu4tP9+_1Qyv@TVAnOf~T@4=aZMfjX7$?Y7@F9u3wEKbRd~J`DsrnTf z+)0-@Tk;Ru)Oc+2iXJKhxOtDqr1_5IVi)?qe;Wq=a@62lIKJsh!L$9eV4VJ$X%#yqV4MZMD}mwI-a{p(n9p_p*jxfNfIM7 z?Cbz+HVFreuMfNV$nZP*0GWt-VD66aN{|Ai$m;X8tdu2JOBAWWI4k#t_~X zS2kaz=A!Qq8AUb)u4_8nEW8@)(cbm@VhylPC2 z9Tn1d_=r+?b&R+l{0E}(n-tPR253-9m#B*s+h?}&8B)y3LI)-`H=7FdGT_uidYPW6 zC)gF8T;}S4qkN~~zusy0#VMP(r^oTrC)|F^-`>Zm65tTT@rgj4|Ds$KkSiv08ky;a zp7p&F9I~ZWH7LY8@7vC9EX0)xLquX3)9oN)u5|&Jq?$WW{b(sKE$W)lV(#M+%?k35 zDWjko`~{~v$cj_`(UGHi+zt;xiVo-RQu{oAm#Q8&>`Ajy^uJ53$NOFCh-WE#gV~@j z6L5L>m+`q;vRmQtxjugw+D8WSbC9IJT;0htLmZ$J$>C(9E(eHn`7N=A1_TASlID+z zfIvIVEr^7ItzR?jDiB0PhTvRCRsr{An*kSec#vRq8>kOc3GL~xa|_~6&j#|D*vu{i z`@o?CzT;T_I`?T2JA{Nu-pnt+1n_?Wc4{Pu5B>gs0Gs;-*oI)n*W!x{z6apt8pGX)JsB&sONt`*MnOagv_;LCLX^Nl@ETr{Wj0a zfUXthcMp0<2)aOkzWfEe{(pey{sp}21XgMl_+^&{Nd1G@Pl1pf7bHHO))zGx-^eIS=Y~&siPj?$aqH$$u4i_VvzIN+~;IZ_8el^}ff__!+ z8wKJ^0l-)3co6sA*wnP81AoJ~1X5ZrVPK4LExtM}|8fUoD z*3VONeXpzG!%Ro3>4FMLpl!OFX~-pWL;(52wi10N5_fo zaXU~1%Q>7z!cP5O(R%;$FPfeIHOuEMUW&!Vkk`c8B6A^6#4yZ;UPxZL|HdWmcXy{mzbN{{)m^HZg z^y8~$9&C1nWthKeGj4hB6CNmR+E1x%V9d5AQYcmhYBPDcgXhF>DqqhY)zv(4TFm}N z(g7y4)O*HuUV4l}lA9rp%x<1NW0KsaGFk>R3)yf6o&Ik5sd?GGNlj01Gb``Qq=@15%PI1AXy|Kn}!@Yi-NZw|l&XfKiaTUenCCxqLfXWqd$ox|*kw6DSkjhh~}<&WoMd!<`%2q3+$qL_x_H-8vKr zm(A_9Iqfa4gVky;yKS$F9qRuVOZi`PO*SgFKPX}AFuy)!UaH>TGQcXKcod&J-rn4h z{Vw0WeuSLp4ol#8fHyQLe*%*-14Cn1mjkivzWF~zb zfJ4w~ypA3lp42oCWa*DdCyqs?BRHiuDPEpdXyWDh^=q4Du5xW-BM#m4K7ie1`d)tf zJ}&zay}`Or(0|s{e=h2zy@PzXyFWj_KHiVvtAQYhZSG!t>9t;A{%nTfG3ue8<2=4% zQ~ZtzY&cHLWl8b;%_>>+9oeYO1o;Cku}j!YEZ{UoE(u%4jDv+IXo+^)YJ0?!Nn88Y zTtX{=I21D-NP{E_u!|33@wHdUe~;(4Xx?4g80rwP6M!_V!{mMD0Yrm8BE||Gih)Cf zSZjZXuvfjd?S0&xXwu3dWL2lWAIVN_PHYaPszY&itQwVhnuf>2HR8=0wkm)Bh ze}(6%idsuli7uqeiZn@g`E?qfdOH!jbqQ+iCc8>>2NAWsROE;`^WgWe8H5K0pN-{E z!=LJp-V@?_r(Pj|dY1mRGXBU#H}_+X$iR~3GUc`W3yVu+L83?KAh5Kb2be>{b3h&FxB z3Hr$g!c2wVk-P2H_Fv2tPCthW^lw{7eTfU)811gtJ=7$Td($AXosrn`mJ^Z6nqQs~ zo_MT7BdNV*DaK0R@Ip&0P)3VrlF%;wf4gqz5Grnn3SvaofN~aW0JRf_Qpr2&aL#Wm zgvjQFte^wAE&?X`nE^$I?FM0RKd=^IsnTNsX%!j8=OqOxTaV{w9UO*5*{EFi%vlQ|3*eRw4WW$hWguJBToM)HHj`OI zCg+JjEwrtP|IN($Y6^{lsRFf@z4O=YYnaR+Rex*dh5u@1tM#DZ^MMw=qGN*5BE)uq zn~@79WDdTK4^m()Y3JxUWgxB0B8t-EwzdGFP8Tfwiw6ff#*68tGsPMuh*kxz9cf6Km;vI-vTIq= zG(SJDUIVVB4X$q|x6c!&83oM%HEt7%#a>OEp8@7jOXtrkNa0X9jnQ4M?~MOfpJW~A zIrk}uj`jw|aAd9O9UB+?he*y}M0S1qTs*BFJ%xQa13{-}&loe1>4ydi;wq+cv^#yG z_jFq8{S&-rLiG2M4Y6pax6PmP&jAB`jmb46PHNZ@(eYoLgjoavB^CG5c*?#>!` zO0$c%MDR2-`OT04h5IGLpS|wQQRjeI6ZsQCP)8ott<(IW&YjEh8k~B+j_0^uh3S2XMB3z*t7Wa&MZa! z_n-#1ZHP49JWo5&EjF!PKRjyZV%}$d=F=(!aD3AFSkLM=x_JIZ z7qAPK86G9p2oS{GKw$9NMz^@32sb_D$QA4gC)b;GgH~s3l7~Hwgx&73gVE(h!|JeA zt4A5oe-+XpJbBjIbshpEzZ=ezCh$c)pl+SbOgIe5u7>E#Zo!-9VSj`~+Q5IKbL9l~ zNHAcuJHlOjyO99u7k64}f0Wz4>(KY!t&DjnFW$|TN$Paxo7w*|gRkzs(q6o4t?qVw z|8HJ7{iNpMDz@5N*}#E~5r5__%0Te@sMY^flrS9i`U0~00K6x1Tw)qP;HRPJ$CLi7 zU$2G#{DDJ2$0vh<;aE^hO?rMEkJuH9Lx9jiZpu^H#S>tUGOjXxUpo?h_8~oDqV;jf z9!mJ`u9n)-NFI#&?ld6p-i2rX55DIq;1t@Zaw-x{137*&)8-#I3eI0Tqj280m_{Ly zmB9TeGB&;;hZBHw#7-lB2#6GoLh&4RpCLCo=k(S_$uiN}udQ?M*c)pdBU%e*%+f|Se&R;746 z;urh0w!c*?mc3eH%5N1C=UmK-zXfq9dj~WffUEFCROR4bcU|Kas_;?cNSge%g{C4!eF>R))vkB=OU-rXbaWX3P1lSwfxVq1TYBj+-#l6 zJ$Wn{j?CAcymTc8=Er=FL4ZPRO89c@4)xm+%-u&e>{XNnfFB2tW*L%0&eP(+RFumAA{MbUQkx zWHb<`MU&yZUS73D7tFkImXHjJ4lb1JLe)gsn2d>{*Obx-V`P=m9iLArW%^DH>JJ^= zL$cO_DGi$C_dMPmQfaE79a&p!wOVG8+{q=8M>*whGxbHg(3JCfH}*4B#;2^C_)slAxEtn8c<_!56cOy4?5-jBB2EA3QnLXg`@YJqoiW z3Mm%WnoZ-&(&PhzyGXUSkDlp0OVLr5;?!hc|NH6Z2dGov_Lyv#<>o3FJ? zLT24|soHH;begU+T~?2;YE$eNVXiY)XqBUrm~7QKU!;{j8W!s0O;6gDQMby^MDHEn zbWE+c=fqesyw18RFfYlPUQ~9#5~$C*OMt*BRwF8}QA=bjy3th*zmi`(mGGI}IaRx| zq;zEy*p=6#B8HcEj28=uUAS4-v)GhIU++Pz>n3Xt4(Qg?kn1-UMQ}6{{dNB8HUDYI zLPM{anwVwMFH@@ddmQc1skE!`+0Vx?Rg5f13r;I`3k2x|{1)J_1zi+&UE_ogkAb62 zmrjfyeKdt}bcYA8KfIz$it9ZzgXRuG_1uB|2+4xs1sHIcTPig{ ze+V`10#dQRKntq$55iNhsW>U{5)p-Hz4m@xwBKbYw;8FdLy+trfiK*TZM<>pUOSJ0 z1Gu??WcbL_;CP>nB>g^?`#8R%w>A=f^KFDFlr1^1B8SJ?KpA@|Rvx}LI}XV2kegM= zTaT!oxg|s5w8(?o5>gb{iKtQ*usU_>3MNNxYZDRWOZpPTXM`hFC7>UvV{TZTdQvpW z*IjKl6tAj^F3&p_GMf^?1J6=Dl1F5I`EsJB0nUqzPW$(#ahfouhYpLCX==U+R1Z^d zZn_R_hq-8l71gGHa~^F++)j{T*VR%S&SuZ{ue-^5{6zHjD2=E98Iq z8lEEZ!sN9F&~@$WIafzp7*9aCT9*xHD5*Z2QWT z<&b91>>%e7&x zR_ns2BX$K}WBdtR^w@@TdKNx=v6hAQIrIEFMDndahmO*N%;WgA?wx^X_&L@3=`9b= z>2|wFn420YR~NUJv$|bH!baiX$g_=eTQM}fFB@0(OP^TSML1m57MG3l+NFyOHulV8 zwX-#ca#Qo#e=yEEM#rv&maQaa%Wi#N6b*IKY~HDQ(ye*1>|XWos3YxK0Tp+2>QclW z)yc=!q>asLq?iEVOr2@Z?vKu9jLou`9dWS1ansmu^J3N5VT=6;*touZo5Stx+8*?Z zj3<^xnw)-)TA^~)I4DfXczYXmY;mrt;g;rU{Zuo3iS$aO&z{I;;~qKd;kENqzY|!W zt4)U{`;_)}PI4W(jp6TyF4%XxoOMRzszc@z`$OYVObI1D=OKgMU50t_-Z;adg@)ta zB>x12`_EYP`0#7E&PV=OO;T@B_pZKM2XY%fI z5v2-*FK9g8lj!|(Kq8^EnMOkls0->pc>Y{5-GdO=*DR`oU@ z-@bLQ-Im1gT;^#$YeZ2jvkYQUa=dsj6jH}9H+!K*L5)9mjW4~OB)vLA8HpwdzZsTa zKWWY~l&sxh9|0T2K*mqm>h#75BzFqfNaN~LR_Z1pk7yUsW>dkHMj+bpN6 z5pRFF!L0TI!2@N1n=BVioB>h>OMpfo7dF1G4nc3{3Qj~Fd-&~^7=ihP&m8@U?dUHT za+oiAV4@zlm}?NMaNuxo+90#$l0v;~2WGcj)K-!{<)nY)@t=~Jj=*`IE-P;aA<>W7 zR}zyPxwY7E6Jy#apA^`wEbW?V__w_VmAK)3z%}aS^Hr_wMlzY$Yhl%um_l?^ZcG z*qM9iHlJ!crET}$nC`>pxj&~3nq!p&{ZvhN9xpCMY8g<`D_ExN?9DG|I1tfaunt~_ z&w&Y)ya8{PvA~^U3_f7Y97wZ;sCAA?FY6a*Mg^%j8T^zt&!Zo`HmC9_mYMMq)5eU# zi?O(ej@P~w=uznG<_DyFauIg_=+4J(QRhhTe68&r{@xG*fltBpboK4!gvw))RO}DwDpW{kWS-%f=;2{19lpCgf=1ZbYtDuj==i~cnS0@T5>ImQ&0DX_=YB=* zw=7sXtg?e#76Z*GjtQ<#%Hzi1`Y4m0<~2L)e(@>-$gWhfiB3d>qJ3S}TNq@+_(a`& z(*f~`wx;wIGa2*+(~AC@LW1*afP{zyHZz3^FS1YbU7|iJ$JHcGg)+*vGJ|`v5WH=Fd-qEi=W-u# zOVJFAf(Bqk7Q(Pd1HZph$)b{NhIFIlahJ{`_QZm^$Q|g6sB9@fi>meKTXTq?#0c%* zv_itc#F-2eY*NmrPRwbk9I=3t`NMDnDf=G7cHjBs=nc3%x5|Q6=zW1x1n>P@`Z=AK zxbLZ8cz!N|ZW;%GTBRsdZ#q@`MhX@VgL^{sosPrL>fTwd>+QjX+ZCJtF}v>NhQpUv zSQlKzRi^BU=1Gs1|B`kU=S=po!8yal&;xxpy~0@9GoL!VHQ!^*c7Y~*#>okPkz$Yg zpwpV4ye=-9y<(f>VbeJ&ao*oJrE?~dTH{$g{T=7}lTy8Zv<5lK@vy5^vjk1R{oWQC z&BR$Ihwos*oYDjos5Q&;vsvf-9CHDSx+Q(HOE(j+r^O&=d+Wgp7A@Atl(81265Mb8 zBOmO6deEs&ZF+?tI=+CNzaAEHRysk!3}xKZYrc|6iWHOdH)#~b2E>b>%_vUD-6#aJ!{y8fXJ3dwES)by-$ zZ8)^5Tq6R1R-aySF``-{4m36{w10*`GGL}-0X^IXK!X{+0l5nvBGKnf* zUoDB1LbQdFls5aEDXNmy*j0)y=b@ovI=)Ohv0s_l%__R`$Kh}4^n&IWO^rrV6I5ek zW81ijhWetho@|;+imNh;YD%6?3a-_eb>(_v`Tcu#5^c(r-PvV%$zLnPZyL&r4F$BW`xB3YFAEwCXBKY74n_31t()lqtT-L>HB88Hr+DD+K;6?=f2+0%~R%N!iL=(UYkyK*;$R=;7<>Sf8bIOG2 zB6JRuMmH(bE18@cqgR@5(}|f3Qfjjm>ugI64px#;RMU0io`mU24RtnIPIG>GEi!Ux zGInkMleu8l)vnk`rbL#t>V{tV(2BBuS)+Y$}QTkq+~i z45QbJ);#ihF?_sz7VNoBF_MBJ>&LoRF(=#_(H_HWxi?+)F()X74;{T03-M78O;E&W z4&z&6qN$bpo|YiQK~4|gqhoM~=+~!WS)s>D^D%|RY1sm!=qouxRo?FI@z&+C_kCRD z6JZOA@e7E610%ECD1K?G6HlIA=1T`az_9mc#d5S&Sp3L8d$Se^2@f0)*}Bc^L>$y+>R%3Vu+xg-_D`8+0j6UlD|z%;Z00{yNB4YLmWY)eh&mwzcR-K z;;=`c*6Eb~p0j&)i=b!j;!9AtD^j=((ntXo!JvW2{Ez`a;Sxf#ptd4@Tf6Wn^$0H3 zp*DU-f_LRmKqe&@GV&?UbB}UhP4h!{9;ZEHnI_d|VMRq<`BP3)5AAp4KI6VwE^2q7 z-z-I&B!jNg6cG4rK-ad~57Y0lNgE=NHLf@k)H8zDH>^@Z@*!g1V@iaLzY7akMf@B8 zq+0L~XiP;>lqzT#H(3`MjL00MbI0~}JCzuzA;8(=ak?vs^O{T5YrrSV6 zuS0N&xB94j4bqeOss%-4mD| z(Zq^R;kRJ%n!^mb*_PQNsS}sgd>uLdg$PFmG=Zfn*$oUzxnBYLWbxlcGNeXOKU->` zk!a(Mi5#+FsZIuH=6u>=?qnhdxzA*rI5B;B8S$zK@ZTX{;ZtH-S)66k7=OwFk*ML? zBK0gfU&-xL`1HEP)g&Q#b~zEx+G^#wknI@6Oahw#o6nv;_OJ?|=afyWMPnITY-u>- z`5Zi|fy}Z!!l#}M6wl=@-3pCd(ZQ0wahm~R^KS!4f3PTxP(+N5-P2rawXDsBlZyl} z=0QRa-iFQs{)w7YOAv|VAy^be?V2YfakqZN_?|~edG0~F&Krowa}y$m9+#X2r-AU} zlB^JHB$|grYJ6{ru#?p&nFO%&#l3PQSh5*ZP?jFU;Xy+9Gmst|gfb!yB>-zuw6hn= zM!PN6qkdx_$4x^*$lZ4WD{m;_OQ`hm_@%*YU*{Zn&Bs&WyxV*dg*x-73x6UMtT0b~ zqvL&ty^VUyQCjMT(u)_F9)`Z?vOn1^!B2Z#YA12M*214Bhdv^@DtyQr=#Q#}0AD^g zI}ERlInLRWogpO6@p~+Y&SW&BY*3m+AzZJggEmP45xoc0;3-VJXqXfKFyufn?>YM1 z|4XJr6ro#rO2O> z6v%T9{`)s!=5*lAAh&d*D~xFaMjc=dSTc{7ATM;-BR%R}YIQROllmO{k;7aTu@i}l z_i%Ge2sa=!*>03lDpPD3$tE>e0UAq}JZyKpl+wbA)l$x4gx7>ufEcPvwhFW(uoY%6 zxx&6Lg^(>{WW4kQ2{O%;yP$lZ$QDZos8o*X$)&J zaHg1b6yIt|Z&uS<^wA>@0mr9^#*sg6uLv%i<WELsxzzTXcND)gXGmEOS)Xj}uOymfWon>`g8c80;Sd6;}c`@KRHbOn|}W^z1$q z+-yc|^+%F&#jp(XKygMlfZz)Lf=^V&_Ir=Rh2~W}8#8uNyOI9zdYB$9P5%s8x(fnL z#W{D7mgoIh16nphJcWu^hB!~2KydKC*vAu*?7x)tf}KgI;NGZ(e|5N4a*0zH16(2! z`odfo$$2QyBqqTQ$V}+!D2w&1e2bbLydc`3n)#c$NBDPjQD?%HG(W=qOxSwyK)z@Q zmUsZF!N0dw7K0c#t#TmsPlw0U3evKWZhh#{RH(Pex`-rAUMcB_7f_I0NWp4lE@HNf~3NwBH7=7)aPp_|Wp#>!84j*9N*Bcl5o+ z39GeEx4x8fhcM$L*3CiR`94aRPJRe36)rjN8$IM#fOCof=82#}1rXi!!+IuXxV~F} z-nk3K-keWY2e90i*Vy423rZ4p&-o+@$rO}m$MDTcA`-?G1R>}y=-l&-fYtVYf8S~8 zPJi@1ZSFZ8OC((-IPMr16*B)hQ4NmSUc{@l#gH!(5=8{TVU)4WWLf}r4pw#=WtSvi zD{b7jlf$8a%TryAD6I${F@_(qkK15@%|&)Q@gzjL2_N|r zfHF$BVwMj3{*@HmXWWqi0r|6|(m#f%Eqm%71PqyQsoqm$f87hOCl`yd^*aq(c306);4Oq;4PrJzo7o?@jIp zCbP+E(n!y_{9uv1B13|9&sp3R&&Xm=9AO2jea zoTO=J`@o}Z8Y&R9nt=;azpoA|GbxSOnU53_MvpQe>@W@PXtNQ|@)76%$GCbh3%Qpvp+QbX{IkyR7qb+ zz(CD2H<<}E(CF!9B<5WIE5gS2>H2Pq`~{XOJifz&^f#vOsWTV5NHiJw)H%}l3t}4^ z0YJFEXSCES;jG8?cA#EaWclka$6dZ1` z$9zJT#jiH8Uz^+9u=Mx_yUQ zZu&0{wZUTqrLSmkAg z+X@*jhaJ!1YFrWH*_ zO|Mm@?kzr(7W@+bxXdD()TEyrAldhhWkF6V3uFG8s?@q0+3bXFNHyJ~U|aO2=1pkK z5};LUd&d2a+Sq&uHGv+&?TQ-XIxXLPGV(q%Hsaj zf4>&551KzXj&hjf+v1#{NG)EhHoh{eI`o{NTq%0#ogzoBz9%)vX0DsG?|o92(O0g^ zyn8+<9~v-Z!i(a9}m;z8DB^iEyM2*hx+`MX92w#rTs>Ko5%fj7WIIys{*Ba znX07X0&Erew7afaJ$C(1?i{(bX&hknwy|U%p_>!MZYyxY{~<= z&oqVyfs+SZ5$RWa88ZeF-)R0P6N~mhG;VUsk_%n~;Z3*iAb)hR6raD4Xr{LSd4M=K zqkbK$>I1fA-(RdHv7*DV)9p724CJnL;CB@YTfiEu z2aTBDJR+`yebv1hUDK8dbWy6Z-a=e!+xiIKdgQb7MQ1Mi|5iF9l6PmeP2{}C`%DXd zpG)ZGUZ!RzdqMi*9LLFv&U-Z4{O+El;5uJ0;$&x$I%A%OxXPy~mG|<0o?&7BbHDMs zuwT)#^KLpJ25-gM?F5}PL4(G$upHA<6@>IU5@@r{prlX#k!R(-! z+pZj2&+(h#=;s*kl~)oEHK={`Rri{}eCE*1S!R<(GpDrtzr98<$oE(lV@BZhJrj-v z8r`+3oweIISVHg^Z{s52tb;<)jNajIjcorfHh(i&HMsit&ML+ z@k6l*^#Zwu&oW%U|9!oceZBd<<}&_o?)6Tu^-lHuI6uF{IB3UY&D7iz);CUtZj9bA z@4MKVEtNA~96mE)#y`#*z%9=AH1EItdJ44+}8zQ`rIe&UkE z=!GlJo&8i+W?j3nJtqJE*LH;|Z~mXt`P)A??21k(n_`0Bn(K4(WS^+Lis-I79+c~A zk{r3H^yb`Bo!zI6r|peAzG=Hn^3D0BI=_M3>zn(Ye*M(*G~wDt8J+VHeCe{M9|E~& z*CbbNwn@&+KW`;*?a-v2w6d%FU3Tra-TWzEf8w|N^K1Uy_FnS;wy`wB+nG8He4A%% z`#NjwKkJo`rig96<030oyf=B}F_T#v&m1xS+P75dbjC3w;p11Vr)BXhmOL%=(c82; z(sVi9-FhT-qa*sCkz%D3F{ zITHW9VAaN^k4tP)Ek4a(<{XgOcg6CwWn8(v4(nAp)_Rzk-<#&H_-`i9@^yzF2eGT4Qe08d_44>lj_XY) zD@-IWHy%v>vH!n(fHxzP2!jalCRz@L4&eQ?ohN27rSdT__=Ynuhyz7IfRRA~OfxVf z7o`I4sSV9^NlnYl%Ph&v&ja6Ci);wCOKuT{%mNyXapi4*H!B-R2@?>u0BMU>5Dx&^ C#=GAD diff --git a/Solutions/GitHub/Package/createUiDefinition.json b/Solutions/GitHub/Package/createUiDefinition.json index 0926637032f..cc61018a122 100644 --- a/Solutions/GitHub/Package/createUiDefinition.json +++ b/Solutions/GitHub/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [GitHub](https://github.com/) Solution for Microsoft Sentinel enables you to easily ingest events and logs from GitHub to Microsoft Sentinel using GitHub audit log API and webhooks. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n 1. [Codeless Connector Platform (CCP) (used in GitHub Enterprise Audit Log data connector)](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal) \r\n \r\n 2. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 2, **Parsers:** 4, **Workbooks:** 2, **Analytic Rules:** 14, **Hunting Queries:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [GitHub](https://github.com/) Solution for Microsoft Sentinel enables you to easily ingest events and logs from GitHub to Microsoft Sentinel using GitHub audit log API and webhooks. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n 1. [Codeless Connector Platform (CCP) (used in GitHub Enterprise Audit Log data connector)](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal) \r\n \r\n 2. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 3, **Workbooks:** 2, **Analytic Rules:** 14, **Hunting Queries:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -63,13 +63,6 @@ "text": "This Solution installs the data connector for GitHub. You can get GitHub custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, - { - "name": "dataconnectors2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for GitHub. You can get GitHub custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, { "name": "dataconnectors-parser-text", "type": "Microsoft.Common.TextBlock", @@ -132,13 +125,13 @@ { "name": "workbook2", "type": "Microsoft.Common.Section", - "label": "GithubWorkbook", + "label": null, "elements": [ { "name": "workbook2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Gain insights to GitHub activities that may be interesting for security." + "text": null } } ] diff --git a/Solutions/GitHub/Package/mainTemplate.json b/Solutions/GitHub/Package/mainTemplate.json index ce71a7c5572..e5971e67f46 100644 --- a/Solutions/GitHub/Package/mainTemplate.json +++ b/Solutions/GitHub/Package/mainTemplate.json @@ -38,7 +38,7 @@ }, "workbook2-name": { "type": "string", - "defaultValue": "GithubWorkbook", + "defaultValue": null, "minLength": 1, "metadata": { "description": "Name for the workbook" @@ -46,12 +46,48 @@ } }, "variables": { + "solutionId": "microsoftcorporation1622712991604.sentinel4github", + "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "GitHub", "_solutionVersion": "3.0.1", - "solutionId": "microsoftcorporation1622712991604.sentinel4github", - "_solutionId": "[variables('solutionId')]", + "uiConfigId1": "GitHubWebhook", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "GitHubWebhook", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "parserName1": "GitHubAuditData", + "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", + "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "_parserId1": "[variables('parserId1')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", + "parserVersion1": "1.0.0", + "parserContentId1": "GitHubAuditData-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", + "parserName2": "GitHubCodeScanningData", + "_parserName2": "[concat(parameters('workspace'),'/',variables('parserName2'))]", + "parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName2'))]", + "_parserId2": "[variables('parserId2')]", + "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId2'))))]", + "parserVersion2": "1.0.0", + "parserContentId2": "GitHubCodeScanningData-Parser", + "_parserContentId2": "[variables('parserContentId2')]", + "_parsercontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId2'),'-', variables('parserVersion2'))))]", + "parserName3": "GitHubDependabotData", + "_parserName3": "[concat(parameters('workspace'),'/',variables('parserName3'))]", + "parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName3'))]", + "_parserId3": "[variables('parserId3')]", + "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId3'))))]", + "parserVersion3": "1.0.0", + "parserContentId3": "GitHubDependabotData-Parser", + "_parserContentId3": "[variables('parserContentId3')]", + "_parsercontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId3'),'-', variables('parserVersion3'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "UserWorkbook-alexdemichieli-github-update-1", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -59,8 +95,8 @@ "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "workbookVersion2": "1.0.0", - "workbookContentId2": "GitHubSecurityWorkbook", + "workbookVersion2": "", + "workbookContentId2": "", "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", "_workbookContentId2": "[variables('workbookContentId2')]", @@ -198,106 +234,181 @@ "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]", "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]", "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]", - "parserName1": "GitHubAuditData", - "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", - "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", - "parserVersion1": "1.0.0", - "parserContentId1": "GitHubAuditData-Parser", - "_parserContentId1": "[variables('parserContentId1')]", - "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", - "parserName2": "GitHubCodeScanningData", - "_parserName2": "[concat(parameters('workspace'),'/',variables('parserName2'))]", - "parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName2'))]", - "_parserId2": "[variables('parserId2')]", - "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId2'))))]", - "parserVersion2": "1.0.0", - "parserContentId2": "GitHubCodeScanningData-Parser", - "_parserContentId2": "[variables('parserContentId2')]", - "_parsercontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId2'),'-', variables('parserVersion2'))))]", - "parserName3": "GitHubDependabotData", - "_parserName3": "[concat(parameters('workspace'),'/',variables('parserName3'))]", - "parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName3'))]", - "_parserId3": "[variables('parserId3')]", - "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId3'))))]", - "parserVersion3": "1.0.0", - "parserContentId3": "GitHubDependabotData-Parser", - "_parserContentId3": "[variables('parserContentId3')]", - "_parsercontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId3'),'-', variables('parserVersion3'))))]", - "parserName4": "GithubSecretScanningData", - "_parserName4": "[concat(parameters('workspace'),'/',variables('parserName4'))]", - "parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName4'))]", - "_parserId4": "[variables('parserId4')]", - "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId4'))))]", - "parserVersion4": "1.0.0", - "parserContentId4": "GithubSecretScanningData-Parser", - "_parserContentId4": "[variables('parserContentId4')]", - "_parsercontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId4'),'-', variables('parserVersion4'))))]", - "uiConfigId1": "GitHubEcAuditLogPolling", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "GitHubEcAuditLogPolling", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "GitHubWebhook", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "GitHubWebhook", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName1')]", + "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubAdvancedSecurityWorkbook Workbook with template version 3.0.1", + "description": "GitHub data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", + "contentVersion": "[variables('dataConnectorVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Gain insights to GitHub activities that may be interesting for security." - }, + "kind": "GenericUI", "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f80bd5e4-0e9d-4dc7-b999-110328e5b08e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"isGlobal\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"1673856e-da45-4e3b-8c00-9790024bea39\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Repositories\",\"type\":5,\"description\":\"Repository selector\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s).full_name\\n| distinct tostring(repository)\\n| where isnotempty(repository)\\n\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f6c038fa-f6b7-4d31-9568-b1b4813e1104\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Actors\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"githubscanaudit_CL \\n| extend actor = todynamic(sender_s).login\\n| distinct tostring(actor)\\n| where isnotempty(actor)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"4f71b2a0-62dc-4d47-9488-e2df545d99be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n \\\"critical\\\",\\n \\\"high\\\",\\n \\\"medium\\\",\\n \\\"moderate\\\",\\n \\\"low\\\",\\n \\\"error\\\",\\n \\\"warning\\\",\\n \\\"note\\\"\\n]\",\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"b7b61394-d7c7-4a2a-9e90-5d17ce94f8d8\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Advanced Security Overview\",\"subTarget\":\"Advanced Security Overview\",\"style\":\"link\"},{\"id\":\"7b984311-578d-4162-8e03-1c82cfa37519\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Code Scanning Alerts\",\"subTarget\":\"Code Scanning Alerts\",\"style\":\"link\"},{\"id\":\"03316284-9c39-4d15-853b-568d16d264f5\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Secret Scanning Alerts\",\"subTarget\":\"Secret Scanning Alerts\",\"style\":\"link\"},{\"id\":\"8853be7b-58d0-45cc-89c3-1a9897f01b19\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Dependabot Alerts\",\"subTarget\":\"Dependabot Alerts\",\"style\":\"link\"}]},\"customWidth\":\"100\",\"name\":\"links - 5\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Advanced Security Overview

\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend EventType='Dependabot Alert'\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend Severity = tostring(alert.severity)\\n| where Severity in ({Severity})\\n| where isnotempty(alertexternalidentifier)\\n| project EventType, Severity;\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend Severity = tostring(alert.rule.security_severity_level)\\n| where Severity in ({Severity})\\n| where isnotempty(Severity) \\n| project EventType, Severity;\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend EventType='Secret Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend Severity = \\\"high\\\"\\n| where Severity in ({Severity})\\n| where isnotempty(alertSecretType)\\n| project EventType, Severity;\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n|summarize Count = count() by tostring(Severity)\",\"size\":0,\"title\":\"Open Alerts By Severity\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Severity\",\"seriesLabelSettings\":[{\"seriesName\":\"high\",\"label\":\"High\",\"color\":\"redBright\"},{\"seriesName\":\"moderate\",\"label\":\"Moderate\",\"color\":\"orange\"},{\"seriesName\":\"medium\",\"label\":\"Medium\",\"color\":\"brown\"},{\"seriesName\":\"critical\",\"label\":\"Critical\",\"color\":\"redDark\"},{\"seriesName\":\"low\",\"label\":\"Low\",\"color\":\"yellow\"}]}},\"customWidth\":\"25\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend EventType='Dependabot Alert'\\n| extend alert = todynamic(alert_s) \\n| extend repo = todynamic(repository_s) \\n| extend Repository = repo.full_name \\n| extend alertexternalidentifier= alert.external_identifier\\n| where isnotempty(alertexternalidentifier)\\n| extend Severity = tostring(alert.severity)\\n| where Severity in ({Severity});\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s) \\n| extend Repository = repo.full_name \\n| extend Severity = alert.rule.security_severity_level\\n| extend Severity = tostring(alert.rule.security_severity_level)\\n| where Severity in ({Severity});\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend EventType='Secret Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s)\\n| extend Repository = repo.full_name \\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| extend Severity = \\\"high\\\"\\n| where Severity in ({Severity});\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n|summarize Count = count() by tostring(Repository)\",\"size\":0,\"title\":\"Open Alerts by Repository\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"repositoryfullname\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"repositoryfullname\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend EventType='Dependabot Alert'\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend Severity = alert.severity\\n| where Severity in ({Severity})\\n| where isnotempty(alertexternalidentifier)\\n| project EventType, Severity;\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend Severity = alert.rule.security_severity_level\\n| where Severity in ({Severity})\\n| project EventType, Severity;\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend EventType='Secret Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend Severity = \\\"High\\\"\\n| where Severity in ({Severity})\\n| where isnotempty(alertSecretType)\\n| project EventType, Severity;\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n|summarize Count = count() by tostring(EventType)\",\"size\":0,\"title\":\"Open Alerts by Type\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('dismiss', 'resolve')\\n| extend EventType='Dependabot Alert'\\n| extend alert = todynamic(alert_s) \\n| extend repo = todynamic(repository_s) \\n| extend Repository = repo.full_name \\n| extend alertexternalidentifier= alert.external_identifier\\n| where isnotempty(alertexternalidentifier)\\n| extend Severity = tostring(alert.severity)\\n| where Severity in ({Severity});\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s) \\n| extend Repository = repo.full_name \\n| extend Severity = alert.rule.security_severity_level\\n| where Severity in ({Severity});\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolved')\\n| extend EventType='Secret Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s)\\n| extend Repository = repo.full_name \\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| extend Severity = \\\"high\\\"\\n| where Severity in ({Severity});\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n| count\",\"size\":4,\"title\":\"Resolved Alert Count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy - Copy\",\"styleSettings\":{\"padding\":\"50px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RepositoryVulnerabilityAlerts = \\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create', 'dismiss', 'resolve')\\n| extend EventType='Dependabot Alert'\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend Severity = alert.severity\\n| where Severity in ({Severity})\\n| extend repo = todynamic(repository_s) \\n| extend Repository = repo.full_name \\n| extend id = alert.ghsa_id \\n| extend Status = action_s\\n| extend Reason = alert.affected_package_name\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| extend Age = now() - todatetime(Created_at) \\n| where isnotempty(alertexternalidentifier)\\n|project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\nlet CodeScanningAlerts =\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend Severity = alert.rule.security_severity_level\\n| extend repo = todynamic(repository_s) \\n| extend Repository = repo.full_name \\n| extend Reason = alert.rule.name\\n| extend id = alert.rule.id\\n| extend Severity = alert.rule.security_severity_level\\n| where Severity in ({Severity})\\n| extend Status = action_s\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| where isnotempty(Severity) \\n| extend Age = now() - todatetime(Created_at)\\n|project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\nlet SecretScanningAlerts = \\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', 'resolved', 'reopened')\\n| extend EventType='Secret Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s)\\n| extend Repository = repo.full_name \\n| extend Severity = \\\"high\\\"\\n| where Severity in ({Severity})\\n| extend Reason = alert.secret_type \\n| extend id = alert.number\\n| extend alertSecretType = alert.secret_type\\n| extend Status = action_s\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| extend Age = now() - todatetime(Created_at)\\n| where isnotempty(alertSecretType)\\n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\",\"size\":0,\"title\":\"Alert Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AllEvents\",\"formatter\":5},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"high\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"critical\",\"representation\":\"redDark\"},{\"operator\":\"contains\",\"thresholdValue\":\"moderate\",\"representation\":\"red\"},{\"operator\":\"contains\",\"thresholdValue\":\"medium\",\"representation\":\"orange\"},{\"operator\":\"contains\",\"thresholdValue\":\"low\",\"representation\":\"yellow\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":5000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Age\",\"label\":\"Age(dd:hh:mm:ss)\"}]}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Advanced Security Overview\"},\"name\":\"Advanced Security Overview\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Code Scanning Alerts

\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\\n| extend alert = todynamic(alert_s)\\n| extend url = alert.url\\n| extend repo = todynamic(repository_s)\\n| extend repository = repo.name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}],\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created') and isnotempty(commit_oid_s)\\n| extend Status = action_s\\n| count\",\"size\":4,\"title\":\"Created\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('fixed') and isnotempty(commit_oid_s)\\n| extend Status = action_s\\n| count\",\"size\":4,\"title\":\"Fixed\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('reopened') and isnotempty(commit_oid_s)\\n| extend Status = action_s\\n| count\",\"size\":4,\"title\":\"Reopened\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', \\\"fixed\\\") and isnotempty(commit_oid_s)\\n| summarize event_count=count() by tostring(action_s), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"Alert Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"created\",\"label\":\"Created\"},{\"seriesName\":\"fixed\",\"label\":\"Fixed\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let GithubPushes = githubscanaudit_CL\\n| extend EventType='Push'\\n| extend status = todynamic(action_s)\\n| extend commit = todynamic(commits_s)[0]\\n| extend added = commit.added\\n| extend modified = commit.modified\\n| extend removed = commit.removed\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories})\\n| where isnotempty(modified[0]) or isnotempty(added[0]);\\nlet CodeScanningAlerts = \\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', 'reopened') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert';\\nunion withsource=\\\"AllEvents\\\" CodeScanningAlerts, GithubPushes\\n| summarize event_count=count() by EventType, bin(TimeGenerated,1d)\\n\",\"size\":0,\"title\":\"Commit/Alert Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Push\",\"label\":\"Commits\"},{\"seriesName\":\"Code Scanning Alert\",\"label\":\"Alerts\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', \\\"appeared_in_branch\\\") and isnotempty(commit_oid_s)\\n| extend alert = todynamic(alert_s)\\n| extend Tool = alert.tool.name\\n| project TimeGenerated, Tool\\n| summarize Count = count() by tostring(Tool), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"New Alerts by Tool\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\\n| extend alert = todynamic(alert_s)\\n| extend URL = alert.html_url\\n| extend tool = alert.tool.name\\n| extend repo = todynamic(repository_s)\\n| extend repository = repo.name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend Time_To_Resolution = format_timespan(todatetime(resolved_at) - todatetime(created_at), 'dd:hh:mm:ss')\\n| project repository, URL, tool, created_at, resolved_at, Time_To_Resolution\",\"size\":0,\"title\":\"Fixed Alerts\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"labelSettings\":[{\"columnId\":\"repository\",\"label\":\"Repository\"},{\"columnId\":\"tool\",\"label\":\"Tool\"},{\"columnId\":\"created_at\",\"label\":\"Created at\"},{\"columnId\":\"resolved_at\",\"label\":\"Resolved at\"},{\"columnId\":\"Time_To_Resolution\",\"label\":\"Time to Resolution(dd:hh:mm:ss)\"}]}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', 'reopened_by_user', 'reopened') and isnotempty(commit_oid_s)\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s)\\n|extend repository = repo.full_name\\n| extend severity = alert.rule.security_severity_level\\n| where isnotempty(severity)\\n| summarize Total=count(severity), Critical=countif(severity=='critical'), High=countif(severity=='high'), Medium=countif(severity=='medium'), Low=countif(severity=='low') by tostring(repository)\\n\",\"size\":0,\"title\":\"Alerts by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Critical\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"representation\":\"redDark\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"red\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"High\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Medium\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Low\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"repository\",\"label\":\"Repository\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"severity\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"severity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"event_count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"event_count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"event_count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"event_count\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10px\",\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', 'reopened') and isnotempty(commit_oid_s)\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s)\\n| extend Tool = tostring(alert.tool.name)\\n| extend Repository = repo.full_name\\n| project Repository, Tool\\n| evaluate pivot(tostring(Tool))\\n| order by tostring(Repository) asc\",\"size\":0,\"title\":\"Alerts by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"margin\":\"10px\",\"padding\":\"20px\"}}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Code Scanning Alerts\"},\"name\":\"Code Scanning Alerts\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Secret Scanning Alerts

\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Secret Scanning Alerts\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolved')\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.resolved_at\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}],\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| extend actor = todynamic(sender_s)\\n| extend actorname = actor.login\\n| where actorname in ({Actors})\\n| count \",\"size\":4,\"title\":\"Found Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolved')\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| count \\n\",\"size\":4,\"title\":\"Fixed Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| summarize Count = count() by tostring(alertSecretType)\",\"size\":0,\"title\":\"Secrets by Type\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where isnotempty(alertSecretType)\\n| summarize Count = count() by tostring(repositoryfullname)\",\"size\":0,\"title\":\"Secrets by Repository\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', 'resolved')\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| summarize Count = count() by bin(TimeGenerated, 1d), action_s\",\"size\":0,\"title\":\"Secrets Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolved')\\n| extend alert = todynamic(alert_s)\\n| extend Secret_Type = alert.secret_type\\n| extend Repository = todynamic(repository_s).full_name\\n| extend Organization = todynamic(organization_s).login\\n| extend Created_at = alert.created_at\\n| extend Resolved_at = alert.resolved_at\\n| extend Time_to_Resolution= format_timespan(todatetime(Resolved_at) - todatetime(Created_at), 'dd:hh:mm:ss' )\\n| extend Resolution = case(isnotnull(alert.resolution), alert.resolution, \\\"Null\\\") \\n| extend URL = todynamic(repository_s).url \\n| where isnotempty(Secret_Type)\\n|project Secret_Type, Organization, Repository, Resolution, Time_to_Resolution\",\"size\":0,\"title\":\"Fixed Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"sortBy\":[{\"itemKey\":\"Time_to_Resolution\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Secret_Type\",\"label\":\"Secret Type\"},{\"columnId\":\"Time_to_Resolution\",\"label\":\"Time to Resolution(dd:hh:mm:ss)\"}]},\"sortBy\":[{\"itemKey\":\"Time_to_Resolution\",\"sortOrder\":2}]},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend alert = todynamic(alert_s)\\n| extend Secret_Type = alert.secret_type\\n| extend Repository = todynamic(repository_s).full_name\\n| extend Organization = todynamic(organization_s).login\\n| extend Created_at = alert.created_at\\n| extend URL = alert.html_url \\n| where isnotempty(Secret_Type)\\n| project tostring(Secret_Type), tostring(Organization), tostring(Repository), tostring(URL), tostring(Created_at)\",\"size\":0,\"title\":\"Found Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Created_at\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Secret_Type\",\"label\":\"Secret Type\"},{\"columnId\":\"Created_at\",\"label\":\"Created at\"}]},\"sortBy\":[{\"itemKey\":\"Created_at\",\"sortOrder\":2}]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Secret Scanning Alerts\"},\"name\":\"Secret Scanning Alerts\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Dependabot Alerts

\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolve')\\n| extend alert = todynamic(alert_s)\\n| extend created_at = alert.created_at \\n| extend resolved_at = alert.fixed_at\\n| extend alertexternalidentifier= alert.external_identifier\\n| where isnotempty(alertexternalidentifier)\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\\n\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}],\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| where isnotempty(alertexternalidentifier)\\n| count\",\"size\":4,\"title\":\"Created\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolve')\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| where isnotempty(alertexternalidentifier)\\n| count\",\"size\":4,\"title\":\"Resolved\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('dismiss')\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| where isnotempty(alertexternalidentifier)\\n| count\",\"size\":4,\"title\":\"Dismissed\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create', 'dismiss', 'resolve')\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| where isnotempty(alertexternalidentifier)\\n| summarize Count = count() by tostring(action_s), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"Alert Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"create\",\"label\":\"Found\"},{\"seriesName\":\"resolve\",\"label\":\"Fixed\"},{\"seriesName\":\"dismiss\",\"label\":\"Dismissed\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend EventType='RepositoryVulnerabilityAlert'\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend Repository = todynamic(repository_s).full_name\\n| where isnotempty(alertexternalidentifier)\\n| summarize Count=count() by tostring(Repository)\",\"size\":0,\"title\":\"Vulnerabilities by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend EventType='RepositoryVulnerabilityAlert'\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend Repository = todynamic(repository_s).full_name\\n| where isnotempty(alertexternalidentifier)\\n| summarize Count=count() by tostring(Severity), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"New Alerts by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolve', 'dismiss')\\n| extend alert = todynamic(alert_s)\\n|extend Action = todynamic(action_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend repo = todynamic(repository_s)\\n| extend Alert_URL = alert.external_reference\\n| extend Repository = repo.full_name\\n| extend created_at = alert.created_at\\n| extend resolved_at = case(isnotnull(alert.fixed_at), alert.fixed_at, alert.dismissed_at)\\n| extend Time_to_Resolution = format_timespan(todatetime(resolved_at) - todatetime(created_at), 'dd:hh:mm:ss')\\n| where isnotempty(alertexternalidentifier)\\n| project Action, Repository, Severity, Alert_URL, Time_to_Resolution\",\"size\":0,\"title\":\"Fixed Alerts\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert_URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Time_to_Resolution\",\"label\":\"Time to Resolution(dd:hh:mm:ss)\"}]},\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":2}]},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend alert = todynamic(alert_s)\\n| extend Action = todynamic(action_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend repo = todynamic(repository_s)\\n| extend Alert_URL = alert.external_reference\\n| extend Repository = repo.full_name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend Time_to_Resolution = todatetime(resolved_at) - todatetime(created_at)\\n| where isnotempty(alertexternalidentifier)\\n| summarize Total=count(Severity), Critical=countif(Severity=='critical'), High=countif(Severity=='high'), Medium=countif(Severity=='moderate'), Low=countif(Severity=='low') by tostring(Repository)\",\"size\":0,\"title\":\"Alerts by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Critical\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redDark\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"High\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Medium\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Low\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Dependabot Alerts\"},\"name\":\"Dependabot Alerts\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-UserWorkbook-alexdemichieli-github-update-1\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "GitHub (using Webhooks) (using Azure Functions)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [GitHub](https://www.github.com) webhook data connector provides the capability to ingest GitHub subscribed events into Microsoft Sentinel using [GitHub webhook events](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads). The connector provides ability to get events into Sentinel which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \n\n **Note:** If you are intended to ingest Github Audit logs, Please refer to GitHub Enterprise Audit Log Connector from \"**Data Connectors**\" gallery.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "githubscanaudit_CL", + "baseQuery": "githubscanaudit_CL" + } + ], + "sampleQueries": [ + { + "description": "GitHub Events - All Activities.", + "query": "githubscanaudit_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "githubscanaudit_CL", + "lastDataReceivedQuery": "githubscanaudit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "githubscanaudit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector has been built on http trigger based Azure Function. And it provides an endpoint to which github will be connected through it's webhook capability and posts the subscribed events into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Github Webhook connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the GitHub data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-GitHubwebhookAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region and deploy. \n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "description": "**Option 2 - Manual Deployment of Azure Functions**\n\nUse the following step-by-step instructions to deploy the GitHub webhook data connector manually with Azure Functions (Deployment via Visual Studio Code)." + }, + { + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-GitHubWebhookAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. GitHubXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional) - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." + }, + { + "description": "**Post Deployment steps**\n\n" + }, + { + "description": "**STEP 1 - To get the Azure Function url**\n\n 1. Go to Azure function Overview page and Click on \"Functions\" in the left blade.\n 2. Click on the function called \"GithubwebhookConnector\".\n 3. Go to \"GetFunctionurl\" and copy the function url." + }, + { + "description": "**STEP 2 - Configure Webhook to Github Organization**\n\n 1. Go to [GitHub](https://www.github.com) and open your account and click on \"Your Organizations.\"\n 2. Click on Settings.\n 3. Click on \"Webhooks\" and enter the function app url which was copied from above STEP 1 under payload URL textbox. \n 4. Choose content type as \"application/json\". \n 5. Subscribe for events and Click on \"Add Webhook\"" + }, + { + "description": "*Now we are done with the github Webhook configuration. Once the github events triggered and after the delay of 20 to 30 mins (As there will be a dealy for LogAnalytics to spin up the resources for the first time), you should be able to see all the transactional events from the Github into LogAnalytics workspace table called \"githubscanaudit_CL\".*\n\n For more details, Click [here](https://aka.ms/sentinel-gitHubwebhooksteps)" + } + ], + "metadata": { + "id": "Unique Identifier (GUID) used to identify dependencies and content from solutions or community.", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "community" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "community", + "name": "Microsoft", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { - "description": "@{workbookKey=UserWorkbook-alexdemichieli-github-update-1; logoFileName=GitHub.svg; description=Gain insights to GitHub activities that may be interesting for security.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=GitHub Security; templateRelativePath=GitHubAdvancedSecurity.json; subtitle=; provider=Microsoft}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", "source": { "kind": "Solution", "name": "GitHub", @@ -312,19 +423,6 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "GitHubAuditLogPolling_CL", - "kind": "DataType" - }, - { - "contentId": "GitHubEcAuditLogPolling", - "kind": "DataConnector" - } - ] } } } @@ -335,60 +433,227 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId1')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook1-name')]", - "contentProductId": "[variables('_workbookcontentProductId1')]", - "id": "[variables('_workbookcontentProductId1')]", - "version": "[variables('workbookVersion1')]" + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "GitHub (using Webhooks) (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "GitHub", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "GitHub (using Webhooks) (using Azure Functions)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [GitHub](https://www.github.com) webhook data connector provides the capability to ingest GitHub subscribed events into Microsoft Sentinel using [GitHub webhook events](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads). The connector provides ability to get events into Sentinel which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \n\n **Note:** If you are intended to ingest Github Audit logs, Please refer to GitHub Enterprise Audit Log Connector from \"**Data Connectors**\" gallery.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "githubscanaudit_CL", + "baseQuery": "githubscanaudit_CL" + } + ], + "dataTypes": [ + { + "name": "githubscanaudit_CL", + "lastDataReceivedQuery": "githubscanaudit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "githubscanaudit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" + ] + } + ], + "sampleQueries": [ + { + "description": "GitHub Events - All Activities.", + "query": "githubscanaudit_CL\n | sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector has been built on http trigger based Azure Function. And it provides an endpoint to which github will be connected through it's webhook capability and posts the subscribed events into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Github Webhook connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the GitHub data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-GitHubwebhookAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region and deploy. \n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "description": "**Option 2 - Manual Deployment of Azure Functions**\n\nUse the following step-by-step instructions to deploy the GitHub webhook data connector manually with Azure Functions (Deployment via Visual Studio Code)." + }, + { + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-GitHubWebhookAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. GitHubXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional) - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." + }, + { + "description": "**Post Deployment steps**\n\n" + }, + { + "description": "**STEP 1 - To get the Azure Function url**\n\n 1. Go to Azure function Overview page and Click on \"Functions\" in the left blade.\n 2. Click on the function called \"GithubwebhookConnector\".\n 3. Go to \"GetFunctionurl\" and copy the function url." + }, + { + "description": "**STEP 2 - Configure Webhook to Github Organization**\n\n 1. Go to [GitHub](https://www.github.com) and open your account and click on \"Your Organizations.\"\n 2. Click on Settings.\n 3. Click on \"Webhooks\" and enter the function app url which was copied from above STEP 1 under payload URL textbox. \n 4. Choose content type as \"application/json\". \n 5. Subscribe for events and Click on \"Add Webhook\"" + }, + { + "description": "*Now we are done with the github Webhook configuration. Once the github events triggered and after the delay of 20 to 30 mins (As there will be a dealy for LogAnalytics to spin up the resources for the first time), you should be able to see all the transactional events from the Github into LogAnalytics workspace table called \"githubscanaudit_CL\".*\n\n For more details, Click [here](https://aka.ms/sentinel-gitHubwebhooksteps)" + } + ], + "id": "[variables('_uiConfigId1')]" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName2')]", + "name": "[variables('parserTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubWorkbookWorkbook Workbook with template version 3.0.1", + "description": "GitHubAuditData Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion2')]", + "contentVersion": "[variables('parserVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId2')]", + "name": "[variables('_parserName1')]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Gain insights to GitHub activities that may be interesting for security." - }, "properties": { - "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Topics and repository filters are mutually exlusive. To filter for topics, deselect all repositories and vice versa\",\"style\":\"warning\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f80bd5e4-0e9d-4dc7-b999-110328e5b08e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"isGlobal\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"87b3e22f-fc5b-4c56-a449-372be28ec152\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Orgs\",\"type\":5,\"description\":\"Org selector\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"githubscanaudit_CL \\n| extend organization = todynamic(organization_s).login\\n| distinct tostring(organization)\\n| where isnotempty(organization)\\n\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"dsp-testing\"]},{\"id\":\"1673856e-da45-4e3b-8c00-9790024bea39\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Repositories\",\"type\":5,\"description\":\"Repository selector\",\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s).full_name\\n| extend organization = todynamic(organization_s).login\\n| where isnotempty(repository) and tostring(organization) in ({Orgs})\\n| distinct tostring(repository)\\n\\n\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"10bfa980-1673-4a8c-9d59-fe12a24e297c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Topics\",\"type\":5,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let selection = dynamic([{Repositories}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend topics = repository.topics\\n| extend org = todynamic(organization_s)\\n| extend orgName = org.login\\n| extend reposAreNotSelected = array_length((selection)) == 0\\n| where topics <> \\\"[]\\\" and orgName in ({Orgs}) //and reposAreNotSelected\\n| mv-expand topics\\n| distinct tostring(topics)\\n| project topics\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"b7b61394-d7c7-4a2a-9e90-5d17ce94f8d8\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Advanced Security Overview\",\"subTarget\":\"Advanced Security Overview\",\"style\":\"link\"},{\"id\":\"7b984311-578d-4162-8e03-1c82cfa37519\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Code Scanning Alerts\",\"subTarget\":\"Code Scanning Alerts\",\"style\":\"link\"},{\"id\":\"03316284-9c39-4d15-853b-568d16d264f5\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Secret Scanning Alerts\",\"subTarget\":\"Secret Scanning Alerts\",\"style\":\"link\"},{\"id\":\"8853be7b-58d0-45cc-89c3-1a9897f01b19\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Dependabot Alerts\",\"subTarget\":\"Dependabot Alerts\",\"style\":\"link\"}]},\"customWidth\":\"50\",\"name\":\"links - 5\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Advanced Security Overview

\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend Severity = tostring(alert.severity)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('create') and isnotempty(alertexternalidentifier)\\n| project EventType, Severity, orgFullName;\\n\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Severity = tostring(alert.rule.security_severity_level)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(commit_oid_s) and isnotempty(Severity) \\n| project EventType, Severity, orgFullName, repositoryfullname;\\n\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend Severity = \\\"high\\\"\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(alertSecretType)\\n| project EventType, Severity, orgFullName, repositoryfullname;\\n union withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n| summarize Count = count() by tostring(Severity)\",\"size\":0,\"title\":\"Open Alerts By Severity\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Severity\",\"createOtherGroup\":\"\",\"seriesLabelSettings\":[{\"seriesName\":\"high\",\"label\":\"High\",\"color\":\"redBright\"},{\"seriesName\":\"moderate\",\"label\":\"Moderate\",\"color\":\"orange\"},{\"seriesName\":\"medium\",\"label\":\"Medium\",\"color\":\"brown\"},{\"seriesName\":\"critical\",\"label\":\"Critical\",\"color\":\"redDark\"},{\"seriesName\":\"low\",\"label\":\"Low\",\"color\":\"yellow\"}]}},\"customWidth\":\"25\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create');\\n\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend Severity = alert.rule.security_severity_level\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(commit_oid_s);\\n\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('created');\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n|summarize Count = count() by tostring(repositoryfullname)\",\"size\":0,\"title\":\"Open Alerts by Repository\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"repositoryfullname\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"repositoryfullname\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\n\\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend Severity = alert.severity\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| project EventType, Severity;\\n\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Severity = alert.rule.security_severity_level\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(commit_oid_s)\\n| project EventType, Severity;\\n\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend Severity = \\\"High\\\"\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(alertSecretType)\\n| project EventType, Severity;\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n|summarize Count = count() by tostring(EventType)\",\"size\":0,\"title\":\"Open Alerts by Type\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\n\\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend Repository = repository.full_name \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('dismiss', 'resolve') and isnotempty(alertexternalidentifier);\\n\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Repository = repository.full_name \\n| extend Severity = alert.rule.security_severity_level\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s);\\n\\nlet SecretScanningAlerts = githubscanaudit_CL\\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Repository = repository.full_name \\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('resolved') and isnotempty(alertSecretType);\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n| count\",\"size\":4,\"title\":\"Resolved Alert Count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy - Copy\",\"styleSettings\":{\"padding\":\"50px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\nlet RepositoryVulnerabilityAlerts = \\ngithubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend Repository = repository.full_name \\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier = alert.external_identifier\\n| extend Severity = alert.severity\\n| extend id = alert.ghsa_id \\n| extend Status = action_s\\n| extend Reason = alert.affected_package_name\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| extend Age = now() - todatetime(Created_at)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('create', 'dismiss', 'resolve') and isnotempty(alertexternalidentifier)\\n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\n\\nlet CodeScanningAlerts =\\ngithubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend Repository = repository.full_name \\n| extend alert = todynamic(alert_s)\\n| extend Severity = alert.rule.security_severity_level\\n| extend Reason = alert.rule.name\\n| extend id = alert.rule.id\\n| extend Severity = alert.rule.security_severity_level\\n| extend Status = action_s\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| extend Age = now() - todatetime(Created_at)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s) and isnotempty(Severity) \\n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\n\\nlet SecretScanningAlerts = \\ngithubscanaudit_CL \\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend Repository = repository.full_name \\n| extend alert = todynamic(alert_s)\\n| extend Severity = \\\"high\\\"\\n| extend Reason = alert.secret_type \\n| extend id = alert.number\\n| extend alertSecretType = alert.secret_type\\n| extend Status = action_s\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| extend Age = now() - todatetime(Created_at)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'resolved', 'reopened') and isnotempty(alertSecretType)\\n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\",\"size\":0,\"title\":\"Alert Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AllEvents\",\"formatter\":5},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"high\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"critical\",\"representation\":\"redDark\"},{\"operator\":\"contains\",\"thresholdValue\":\"moderate\",\"representation\":\"red\"},{\"operator\":\"contains\",\"thresholdValue\":\"medium\",\"representation\":\"orange\"},{\"operator\":\"contains\",\"thresholdValue\":\"low\",\"representation\":\"yellow\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":5000,\"filter\":true}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Advanced Security Overview\"},\"name\":\"Advanced Security Overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Code Scanning Alerts

\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend alert = todynamic(alert_s)\\n| extend url = alert.url\\n| extend repo = todynamic(repository_s)\\n| extend repository = repo.name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| where action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(commit_oid_s)\\n| count\",\"size\":4,\"title\":\"Created\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('fixed') and isnotempty(commit_oid_s)\\n| count\",\"size\":4,\"title\":\"Fixed\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('reopened') and isnotempty(commit_oid_s)\\n| count\",\"size\":4,\"title\":\"Reopened\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', \\\"fixed\\\") and isnotempty(commit_oid_s)\\n| summarize event_count=count() by tostring(action_s), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"Alert Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"created\",\"label\":\"Created\"},{\"seriesName\":\"fixed\",\"label\":\"Fixed\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\nlet GithubPushes = githubscanaudit_CL\\n| extend EventType='Push'\\n| extend status = todynamic(action_s)\\n| extend commit = todynamic(commits_s)[0]\\n| extend added = commit.added\\n| extend modified = commit.modified\\n| extend removed = commit.removed\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(modified[0]) or isnotempty(added[0]);\\nlet CodeScanningAlerts = \\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'reopened') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert';\\nunion withsource=\\\"AllEvents\\\" CodeScanningAlerts, GithubPushes\\n| summarize event_count=count() by EventType, bin(TimeGenerated,1d)\\n\",\"size\":0,\"title\":\"Commit/Alert Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Push\",\"label\":\"Commits\"},{\"seriesName\":\"Code Scanning Alert\",\"label\":\"Alerts\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Tool = alert.tool.name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', \\\"appeared_in_branch\\\") and isnotempty(commit_oid_s)\\n| project TimeGenerated, Tool\\n| summarize Count = count() by tostring(Tool), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"New Alerts by Tool\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend topics = repository.topics\\n| extend alert = todynamic(alert_s)\\n| extend URL = alert.html_url\\n| extend tool = alert.tool.name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend Time_To_Resolution = format_timespan(todatetime(resolved_at) - todatetime(created_at), 'dd:hh:mm:ss')\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\\n| project repository, URL, tool, created_at, resolved_at, Time_To_Resolution\",\"size\":0,\"title\":\"Fixed Alerts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}]}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend severity = alert.rule.security_severity_level\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'reopened_by_user', 'reopened') and isnotempty(commit_oid_s) and isnotempty(severity)\\n| summarize Total=count(severity), Critical=countif(severity=='critical'), High=countif(severity=='high'), Medium=countif(severity=='medium'), Low=countif(severity=='low') by tostring(repositoryfullname)\\n\",\"size\":0,\"title\":\"Alerts by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Critical\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"representation\":\"redDark\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"red\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"High\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Medium\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Low\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Total\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Total\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"severity\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"severity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"event_count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"event_count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"event_count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"event_count\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10px\",\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s)\\n| extend Tool = tostring(alert.tool.name)\\n| extend Repository = repo.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'reopened') and isnotempty(commit_oid_s)\\n| project Repository, Tool\\n| evaluate pivot(tostring(Tool))\\n| order by tostring(Repository) asc\",\"size\":0,\"title\":\"Alerts by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"sortBy\":[{\"itemKey\":\"Grype\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Grype\",\"sortOrder\":2}]},\"customWidth\":\"45\",\"name\":\"query - 1\",\"styleSettings\":{\"margin\":\"10px\",\"padding\":\"20px\"}}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Code Scanning Alerts\"},\"name\":\"Code Scanning Alerts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Secret Scanning Alerts

\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Secret Scanning Alerts\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.resolved_at\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType)\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}],\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\n\\nlet repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType) and action_s in ('created')\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| project repositoryfullname, topic, repoTopics, Out, areTopicsSelected\\n| count\\n\",\"size\":4,\"title\":\"Found Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\n\\nlet repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n| extend Out = topic in (repoTopics)\\n| summarize topic = make_list(topic), Out= make_list(Out)\\n| project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('resolved')\\n| count\",\"size\":4,\"title\":\"Fixed Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('created')\\n| summarize Count = count() by tostring(alertSecretType)\",\"size\":0,\"title\":\"Secrets by Type\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('created')\\n| summarize Count = count() by tostring(repositoryfullname)\",\"size\":0,\"title\":\"Secrets by Repository\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('created', 'resolved')\\n| summarize Count = count() by bin(TimeGenerated, 1d), action_s\",\"size\":0,\"title\":\"Secrets Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Secret_Type = alert.secret_type\\n| extend Repository = todynamic(repository_s).full_name\\n| extend Organization = todynamic(organization_s).login\\n| extend Created_at = alert.created_at\\n| extend Resolved_at = alert.resolved_at\\n| extend Time_to_Resolution= format_timespan(todatetime(Resolved_at) - todatetime(Created_at), 'dd:hh:mm:ss' )\\n| extend Resolution = case(isnotnull(alert.resolution), alert.resolution, \\\"Null\\\") \\n| extend URL = todynamic(repository_s).url\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(Secret_Type) and action_s in ('resolved')\\n|project Secret_Type, Organization, Repository, Resolution, Time_to_Resolution\",\"size\":0,\"title\":\"Fixed Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"sortBy\":[{\"itemKey\":\"Time_to_Resolution\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Secret_Type\",\"label\":\"Secret Type\"},{\"columnId\":\"Time_to_Resolution\",\"label\":\"Time to Resolution(dd:hh:mm:ss)\"}]},\"sortBy\":[{\"itemKey\":\"Time_to_Resolution\",\"sortOrder\":2}]},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Secret_Type = alert.secret_type\\n| extend Repository = todynamic(repository_s).full_name\\n| extend Organization = todynamic(organization_s).login\\n| extend Created_at = alert.created_at\\n| extend URL = alert.html_url\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(Secret_Type) and action_s in ('created')\\n| project tostring(Secret_Type), tostring(Organization), tostring(Repository), tostring(URL), tostring(Created_at)\",\"size\":0,\"title\":\"Found Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Created_at\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Secret_Type\",\"label\":\"Secret Type\"},{\"columnId\":\"Created_at\",\"label\":\"Created at\"}]},\"sortBy\":[{\"itemKey\":\"Created_at\",\"sortOrder\":2}]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Secret Scanning Alerts\"},\"name\":\"Secret Scanning Alerts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Dependabot Alerts

\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend alert = todynamic(alert_s)\\n| extend created_at = alert.created_at \\n| extend resolved_at = alert.fixed_at\\n| extend alertexternalidentifier= alert.external_identifier\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('resolve')\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\\n\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}],\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| count\",\"size\":4,\"title\":\"Created\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('resolve')\\n| count\",\"size\":4,\"title\":\"Resolved\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('dismiss')\\n| count\",\"size\":4,\"title\":\"Dismissed\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create', 'dismiss', 'resolve')\\n| summarize Count = count() by tostring(action_s), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"Alert Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"create\",\"label\":\"Found\"},{\"seriesName\":\"resolve\",\"label\":\"Fixed\"},{\"seriesName\":\"dismiss\",\"label\":\"Dismissed\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend Repository = todynamic(repository_s).full_name\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| summarize Count=count() by tostring(Repository)\",\"size\":0,\"title\":\"Vulnerabilities by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend Repository = todynamic(repository_s).full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| summarize Count=count() by tostring(Severity), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"New Alerts by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Action = todynamic(action_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend repo = todynamic(repository_s)\\n| extend Alert_URL = alert.external_reference\\n| extend Repository = repo.full_name\\n| extend created_at = alert.created_at\\n| extend resolved_at = case(isnotnull(alert.fixed_at), alert.fixed_at, alert.dismissed_at)\\n| extend Time_to_Resolution = format_timespan(todatetime(resolved_at) - todatetime(created_at), 'dd:hh:mm:ss')\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('resolve', 'dismiss')\\n| project Action, Repository, Severity, Alert_URL, Time_to_Resolution\",\"size\":0,\"title\":\"Fixed Alerts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert_URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Time_to_Resolution\",\"label\":\"Time to Resolution(dd:hh:mm:ss)\"}]},\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":2}]},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Action = todynamic(action_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend repo = todynamic(repository_s)\\n| extend Alert_URL = alert.external_reference\\n| extend Repository = repo.full_name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend Time_to_Resolution = todatetime(resolved_at) - todatetime(created_at)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| summarize Total=count(Severity), Critical=countif(Severity=='critical'), High=countif(Severity=='high'), Medium=countif(Severity=='moderate'), Low=countif(Severity=='low') by tostring(Repository)\",\"size\":0,\"title\":\"Alerts by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Critical\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redDark\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"High\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Medium\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Low\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Total\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Total\",\"sortOrder\":2}]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Dependabot Alerts\"},\"name\":\"Dependabot Alerts\"}],\"fromTemplateId\":\"GitHubAdvancedSecurity - topics\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" + "eTag": "*", + "displayName": "GitHubAuditData", + "category": "Samples", + "functionAlias": "GitHubAuditData", + "query": "\n\r\n\r\nGitHubAuditLogPolling_CL\r\n| project TimeGenerated=unixtime_milliseconds_todatetime(created_at_d),\r\n Organization=columnifexists('org_s', \"\"),\r\n Action=action_s,\r\n Repository=columnifexists('repo_s',\"\"),\r\n Actor=columnifexists('actor_s', \"\"),\r\n\tCountry=columnifexists('actor_location_country_code_s', \"\"),\r\n ImpactedUser=columnifexists('user_s', \"\"),\r\n InvitedUserPermission=columnifexists('permission_s', \"\"),\r\n Visibility=columnifexists('visibility_s', \"\"),\r\n PreviousVisibility=columnifexists('previous_visibility_s', \"\"),\r\n CurrentPermission=columnifexists('permission_s', \"\"),\r\n PreviousPermission=columnifexists('old_permission_s', \"\"),\r\n TeamName=columnifexists('team_s', \"\"),\r\n BlockedUser=columnifexists('blocked_user_s', \"\")\r\n\r\n\r\n\r\n", + "functionParameters": "", + "version": 1, + "tags": [ + { + "name": "description", + "value": "GitHubAuditData" + } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "dependsOn": [ + "[variables('_parserId1')]" + ], "properties": { - "description": "@{workbookKey=GitHubSecurityWorkbook; logoFileName=GitHub.svg; description=Gain insights to GitHub activities that may be interesting for security.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=GithubWorkbook; templateRelativePath=GitHubWorkbook.json; subtitle=; provider=Microsoft}.description", - "parentId": "[variables('workbookId2')]", - "contentId": "[variables('_workbookContentId2')]", - "kind": "Workbook", - "version": "[variables('workbookVersion2')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", "source": { - "kind": "Solution", "name": "GitHub", + "kind": "Solution", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -400,19 +665,6 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "GitHubAuditLogPolling_CL", - "kind": "DataType" - }, - { - "contentId": "GitHubEcAuditLogPolling", - "kind": "DataConnector" - } - ] } } } @@ -423,65 +675,98 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId2')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook2-name')]", - "contentProductId": "[variables('_workbookcontentProductId2')]", - "id": "[variables('_workbookcontentProductId2')]", - "version": "[variables('workbookVersion2')]" + "contentId": "[variables('_parserContentId1')]", + "contentKind": "Parser", + "displayName": "GitHubAuditData", + "contentProductId": "[variables('_parsercontentProductId1')]", + "id": "[variables('_parsercontentProductId1')]", + "version": "[variables('parserVersion1')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName1')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('_parserName1')]", "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], "properties": { - "description": "(Preview) GitHub - A payment method was removed_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", - "parameters": {}, + "eTag": "*", + "displayName": "GitHubAuditData", + "category": "Samples", + "functionAlias": "GitHubAuditData", + "query": "\n\r\n\r\nGitHubAuditLogPolling_CL\r\n| project TimeGenerated=unixtime_milliseconds_todatetime(created_at_d),\r\n Organization=columnifexists('org_s', \"\"),\r\n Action=action_s,\r\n Repository=columnifexists('repo_s',\"\"),\r\n Actor=columnifexists('actor_s', \"\"),\r\n\tCountry=columnifexists('actor_location_country_code_s', \"\"),\r\n ImpactedUser=columnifexists('user_s', \"\"),\r\n InvitedUserPermission=columnifexists('permission_s', \"\"),\r\n Visibility=columnifexists('visibility_s', \"\"),\r\n PreviousVisibility=columnifexists('previous_visibility_s', \"\"),\r\n CurrentPermission=columnifexists('permission_s', \"\"),\r\n PreviousPermission=columnifexists('old_permission_s', \"\"),\r\n TeamName=columnifexists('team_s', \"\"),\r\n BlockedUser=columnifexists('blocked_user_s', \"\")\r\n\r\n\r\n\r\n", + "functionParameters": "", + "version": 1, + "tags": [ + { + "name": "description", + "value": "GitHubAuditData" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "dependsOn": [ + "[variables('_parserId1')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", + "source": { + "kind": "Solution", + "name": "GitHub", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "GitHubCodeScanningData Data Parser with template version 3.0.1", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserVersion2')]", + "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId1')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "name": "[variables('_parserName2')]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detect activities when a payment method was removed. This query runs every day and its severity is Medium.", - "displayName": "(Preview) GitHub - A payment method was removed", - "enabled": false, - "query": "GitHubAuditData\n| where Action == \"payment_method.remove\"\n| extend AccountCustomEntity = Actor\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": "[variables('TemplateEmptyArray')]", - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ + "eTag": "*", + "displayName": "GitHubCodeScanningData", + "category": "Samples", + "functionAlias": "GitHubCodeScanningData", + "query": "\n\ngithubscanaudit_CL \n| where action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s)\n| extend EventType='CodeScanningAlert'\n| extend alert = todynamic(alert_s),\n organization = todynamic(organization_s),\n repository = todynamic(repository_s),\n sender = todynamic(sender_s) \n| extend alertcreatedate = alert.created_at, url = alert.url, commit_oid = commit_oid_s,\n alertdescription = alert.rule.description,\n toolname = alert.tool.name,\n repositoryfullname = repository.full_name,\n repositoryOwnerlogin = repository.owner.login,\n repositoryurl = repository.url,\n orglogin = organization.login,\n orgurl = organization.url,\n senderlogin = sender.login,\n sendertype = sender.type,\n action=action_s\n| project-keep\n TimeGenerated,\n EventType,\n action,\n alertdescription,\n alertcreatedate,\n commit_oid,\n toolname,\n repositoryfullname,\n repositoryOwnerlogin,\n repositoryurl,\n orglogin,\n orgurl,\n senderlogin,\n sendertype \n", + "functionParameters": "", + "version": 1, + "tags": [ { - "entityType": "Account", - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ] + "name": "description", + "value": "GitHubCodeScanningData" } ] } @@ -489,16 +774,18 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId2'),'/'))))]", + "dependsOn": [ + "[variables('_parserId2')]" + ], "properties": { - "description": "GitHub Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName2'))]", + "contentId": "[variables('_parserContentId2')]", + "kind": "Parser", + "version": "[variables('parserVersion2')]", "source": { - "kind": "Solution", "name": "GitHub", + "kind": "Solution", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -520,65 +807,98 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId1')]", - "contentKind": "AnalyticsRule", - "displayName": "(Preview) GitHub - A payment method was removed", - "contentProductId": "[variables('_analyticRulecontentProductId1')]", - "id": "[variables('_analyticRulecontentProductId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('_parserContentId2')]", + "contentKind": "Parser", + "displayName": "GitHubCodeScanningData", + "contentProductId": "[variables('_parsercontentProductId2')]", + "id": "[variables('_parsercontentProductId2')]", + "version": "[variables('parserVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('_parserName2')]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "GitHubCodeScanningData", + "category": "Samples", + "functionAlias": "GitHubCodeScanningData", + "query": "\n\ngithubscanaudit_CL \n| where action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s)\n| extend EventType='CodeScanningAlert'\n| extend alert = todynamic(alert_s),\n organization = todynamic(organization_s),\n repository = todynamic(repository_s),\n sender = todynamic(sender_s) \n| extend alertcreatedate = alert.created_at, url = alert.url, commit_oid = commit_oid_s,\n alertdescription = alert.rule.description,\n toolname = alert.tool.name,\n repositoryfullname = repository.full_name,\n repositoryOwnerlogin = repository.owner.login,\n repositoryurl = repository.url,\n orglogin = organization.login,\n orgurl = organization.url,\n senderlogin = sender.login,\n sendertype = sender.type,\n action=action_s\n| project-keep\n TimeGenerated,\n EventType,\n action,\n alertdescription,\n alertcreatedate,\n commit_oid,\n toolname,\n repositoryfullname,\n repositoryOwnerlogin,\n repositoryurl,\n orglogin,\n orgurl,\n senderlogin,\n sendertype \n", + "functionParameters": "", + "version": 1, + "tags": [ + { + "name": "description", + "value": "GitHubCodeScanningData" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId2'),'/'))))]", + "dependsOn": [ + "[variables('_parserId2')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName2'))]", + "contentId": "[variables('_parserContentId2')]", + "kind": "Parser", + "version": "[variables('parserVersion2')]", + "source": { + "kind": "Solution", + "name": "GitHub", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName2')]", + "name": "[variables('parserTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - Activities from Infrequent Country_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "GitHubDependabotData Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", + "contentVersion": "[variables('parserVersion3')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId2')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "name": "[variables('_parserName3')]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.", - "displayName": "GitHub Activites from a New Country", - "enabled": false, - "query": "let LearningPeriod = 7d;\nlet RunTime = 1h;\nlet StartTime = 1h;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet GitHubCountryCodeLogs = (GitHubAuditData\n| where Country != \"\");\n GitHubCountryCodeLogs\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\n| summarize makeset(Country) by Actor\n| join kind=innerunique (\n GitHubCountryCodeLogs\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n | distinct Country, Actor, TimeGenerated\n) on Actor \n| where set_Country !contains Country\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": "[variables('TemplateEmptyArray')]", - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ + "eTag": "*", + "displayName": "GitHubDependabotData", + "category": "Samples", + "functionAlias": "GitHubDependabotData", + "query": "\n\ngithubscanaudit_CL \n| where action_s in ('create', 'dismiss', 'resolve')\n| extend EventType='RepositoryVulnerabilityAlert'\n| extend alert = todynamic(alert_s),\n organization = todynamic(organization_s),\n repository = todynamic(repository_s),\n sender = todynamic(sender_s) \n| extend alertcreatedate = alert.created_at, alertaffectedrange = alert.affected_range, \n alertexternalidentifier= alert.external_identifier, \n alertghsaid = alert.ghsa_id,\n alertseverity = alert.severity,\n repositoryfullname = repository.full_name,\n repositoryOwnerlogin = repository.owner.login,\n repositoryurl = repository.url, \n senderlogin = sender.login,\n sendertype = sender.type,\n action=action_s\n| where isnotempty(alertexternalidentifier)\n| project-keep\n TimeGenerated,\n EventType,\n action,\n alertexternalidentifier,\n alertghsaid,\n alertcreatedate,\n repositoryfullname,\n repositoryOwnerlogin,\n repositoryurl,\n senderlogin,\n sendertype \n\n", + "functionParameters": "", + "version": 1, + "tags": [ { - "entityType": "Account", - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ] + "name": "description", + "value": "GitHubDependabotData" } ] } @@ -586,16 +906,18 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId3'),'/'))))]", + "dependsOn": [ + "[variables('_parserId3')]" + ], "properties": { - "description": "GitHub Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName3'))]", + "contentId": "[variables('_parserContentId3')]", + "kind": "Parser", + "version": "[variables('parserVersion3')]", "source": { - "kind": "Solution", "name": "GitHub", + "kind": "Solution", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -617,79 +939,108 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId2')]", - "contentKind": "AnalyticsRule", - "displayName": "GitHub Activites from a New Country", - "contentProductId": "[variables('_analyticRulecontentProductId2')]", - "id": "[variables('_analyticRulecontentProductId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentId": "[variables('_parserContentId3')]", + "contentKind": "Parser", + "displayName": "GitHubDependabotData", + "contentProductId": "[variables('_parsercontentProductId3')]", + "id": "[variables('_parsercontentProductId3')]", + "version": "[variables('parserVersion3')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName3')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('_parserName3')]", "location": "[parameters('workspace-location')]", - "dependsOn": [ + "properties": { + "eTag": "*", + "displayName": "GitHubDependabotData", + "category": "Samples", + "functionAlias": "GitHubDependabotData", + "query": "\n\ngithubscanaudit_CL \n| where action_s in ('create', 'dismiss', 'resolve')\n| extend EventType='RepositoryVulnerabilityAlert'\n| extend alert = todynamic(alert_s),\n organization = todynamic(organization_s),\n repository = todynamic(repository_s),\n sender = todynamic(sender_s) \n| extend alertcreatedate = alert.created_at, alertaffectedrange = alert.affected_range, \n alertexternalidentifier= alert.external_identifier, \n alertghsaid = alert.ghsa_id,\n alertseverity = alert.severity,\n repositoryfullname = repository.full_name,\n repositoryOwnerlogin = repository.owner.login,\n repositoryurl = repository.url, \n senderlogin = sender.login,\n sendertype = sender.type,\n action=action_s\n| where isnotempty(alertexternalidentifier)\n| project-keep\n TimeGenerated,\n EventType,\n action,\n alertexternalidentifier,\n alertghsaid,\n alertcreatedate,\n repositoryfullname,\n repositoryOwnerlogin,\n repositoryurl,\n senderlogin,\n sendertype \n\n", + "functionParameters": "", + "version": 1, + "tags": [ + { + "name": "description", + "value": "GitHubDependabotData" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId3'),'/'))))]", + "dependsOn": [ + "[variables('_parserId3')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName3'))]", + "contentId": "[variables('_parserContentId3')]", + "kind": "Parser", + "version": "[variables('parserVersion3')]", + "source": { + "kind": "Solution", + "name": "GitHub", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - Oauth application - a client secret was removed_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "GitHubAdvancedSecurityWorkbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", + "contentVersion": "[variables('workbookVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId3')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Gain insights to GitHub activities that may be interesting for security." + }, "properties": { - "description": "Detect activities when a client secret was removed. This query runs every day and its severity is Medium.", - "displayName": "(Preview) GitHub - Oauth application - a client secret was removed", - "enabled": false, - "query": "GitHubAuditData\n| where Action == \"oauth_application.remove_client_secret\"\n| extend AccountCustomEntity = Actor\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": "[variables('TemplateEmptyArray')]", - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ] - } - ] + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f80bd5e4-0e9d-4dc7-b999-110328e5b08e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"isGlobal\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"1673856e-da45-4e3b-8c00-9790024bea39\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Repositories\",\"type\":5,\"description\":\"Repository selector\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s).full_name\\n| distinct tostring(repository)\\n| where isnotempty(repository)\\n\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f6c038fa-f6b7-4d31-9568-b1b4813e1104\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Actors\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"githubscanaudit_CL \\n| extend actor = todynamic(sender_s).login\\n| distinct tostring(actor)\\n| where isnotempty(actor)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"4f71b2a0-62dc-4d47-9488-e2df545d99be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n \\\"critical\\\",\\n \\\"high\\\",\\n \\\"medium\\\",\\n \\\"moderate\\\",\\n \\\"low\\\",\\n \\\"error\\\",\\n \\\"warning\\\",\\n \\\"note\\\"\\n]\",\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"b7b61394-d7c7-4a2a-9e90-5d17ce94f8d8\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Advanced Security Overview\",\"subTarget\":\"Advanced Security Overview\",\"style\":\"link\"},{\"id\":\"7b984311-578d-4162-8e03-1c82cfa37519\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Code Scanning Alerts\",\"subTarget\":\"Code Scanning Alerts\",\"style\":\"link\"},{\"id\":\"03316284-9c39-4d15-853b-568d16d264f5\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Secret Scanning Alerts\",\"subTarget\":\"Secret Scanning Alerts\",\"style\":\"link\"},{\"id\":\"8853be7b-58d0-45cc-89c3-1a9897f01b19\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Dependabot Alerts\",\"subTarget\":\"Dependabot Alerts\",\"style\":\"link\"}]},\"customWidth\":\"100\",\"name\":\"links - 5\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Advanced Security Overview

\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend EventType='Dependabot Alert'\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend Severity = tostring(alert.severity)\\n| where Severity in ({Severity})\\n| where isnotempty(alertexternalidentifier)\\n| project EventType, Severity;\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend Severity = tostring(alert.rule.security_severity_level)\\n| where Severity in ({Severity})\\n| where isnotempty(Severity) \\n| project EventType, Severity;\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend EventType='Secret Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend Severity = \\\"high\\\"\\n| where Severity in ({Severity})\\n| where isnotempty(alertSecretType)\\n| project EventType, Severity;\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n|summarize Count = count() by tostring(Severity)\",\"size\":0,\"title\":\"Open Alerts By Severity\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Severity\",\"seriesLabelSettings\":[{\"seriesName\":\"high\",\"label\":\"High\",\"color\":\"redBright\"},{\"seriesName\":\"moderate\",\"label\":\"Moderate\",\"color\":\"orange\"},{\"seriesName\":\"medium\",\"label\":\"Medium\",\"color\":\"brown\"},{\"seriesName\":\"critical\",\"label\":\"Critical\",\"color\":\"redDark\"},{\"seriesName\":\"low\",\"label\":\"Low\",\"color\":\"yellow\"}]}},\"customWidth\":\"25\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend EventType='Dependabot Alert'\\n| extend alert = todynamic(alert_s) \\n| extend repo = todynamic(repository_s) \\n| extend Repository = repo.full_name \\n| extend alertexternalidentifier= alert.external_identifier\\n| where isnotempty(alertexternalidentifier)\\n| extend Severity = tostring(alert.severity)\\n| where Severity in ({Severity});\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s) \\n| extend Repository = repo.full_name \\n| extend Severity = alert.rule.security_severity_level\\n| extend Severity = tostring(alert.rule.security_severity_level)\\n| where Severity in ({Severity});\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend EventType='Secret Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s)\\n| extend Repository = repo.full_name \\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| extend Severity = \\\"high\\\"\\n| where Severity in ({Severity});\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n|summarize Count = count() by tostring(Repository)\",\"size\":0,\"title\":\"Open Alerts by Repository\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"repositoryfullname\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"repositoryfullname\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend EventType='Dependabot Alert'\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend Severity = alert.severity\\n| where Severity in ({Severity})\\n| where isnotempty(alertexternalidentifier)\\n| project EventType, Severity;\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend Severity = alert.rule.security_severity_level\\n| where Severity in ({Severity})\\n| project EventType, Severity;\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend EventType='Secret Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend Severity = \\\"High\\\"\\n| where Severity in ({Severity})\\n| where isnotempty(alertSecretType)\\n| project EventType, Severity;\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n|summarize Count = count() by tostring(EventType)\",\"size\":0,\"title\":\"Open Alerts by Type\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('dismiss', 'resolve')\\n| extend EventType='Dependabot Alert'\\n| extend alert = todynamic(alert_s) \\n| extend repo = todynamic(repository_s) \\n| extend Repository = repo.full_name \\n| extend alertexternalidentifier= alert.external_identifier\\n| where isnotempty(alertexternalidentifier)\\n| extend Severity = tostring(alert.severity)\\n| where Severity in ({Severity});\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s) \\n| extend Repository = repo.full_name \\n| extend Severity = alert.rule.security_severity_level\\n| where Severity in ({Severity});\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolved')\\n| extend EventType='Secret Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s)\\n| extend Repository = repo.full_name \\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| extend Severity = \\\"high\\\"\\n| where Severity in ({Severity});\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n| count\",\"size\":4,\"title\":\"Resolved Alert Count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy - Copy\",\"styleSettings\":{\"padding\":\"50px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RepositoryVulnerabilityAlerts = \\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create', 'dismiss', 'resolve')\\n| extend EventType='Dependabot Alert'\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend Severity = alert.severity\\n| where Severity in ({Severity})\\n| extend repo = todynamic(repository_s) \\n| extend Repository = repo.full_name \\n| extend id = alert.ghsa_id \\n| extend Status = action_s\\n| extend Reason = alert.affected_package_name\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| extend Age = now() - todatetime(Created_at) \\n| where isnotempty(alertexternalidentifier)\\n|project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\nlet CodeScanningAlerts =\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend Severity = alert.rule.security_severity_level\\n| extend repo = todynamic(repository_s) \\n| extend Repository = repo.full_name \\n| extend Reason = alert.rule.name\\n| extend id = alert.rule.id\\n| extend Severity = alert.rule.security_severity_level\\n| where Severity in ({Severity})\\n| extend Status = action_s\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| where isnotempty(Severity) \\n| extend Age = now() - todatetime(Created_at)\\n|project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\nlet SecretScanningAlerts = \\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', 'resolved', 'reopened')\\n| extend EventType='Secret Scanning Alert'\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s)\\n| extend Repository = repo.full_name \\n| extend Severity = \\\"high\\\"\\n| where Severity in ({Severity})\\n| extend Reason = alert.secret_type \\n| extend id = alert.number\\n| extend alertSecretType = alert.secret_type\\n| extend Status = action_s\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| extend Age = now() - todatetime(Created_at)\\n| where isnotempty(alertSecretType)\\n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\",\"size\":0,\"title\":\"Alert Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AllEvents\",\"formatter\":5},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"high\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"critical\",\"representation\":\"redDark\"},{\"operator\":\"contains\",\"thresholdValue\":\"moderate\",\"representation\":\"red\"},{\"operator\":\"contains\",\"thresholdValue\":\"medium\",\"representation\":\"orange\"},{\"operator\":\"contains\",\"thresholdValue\":\"low\",\"representation\":\"yellow\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":5000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Age\",\"label\":\"Age(dd:hh:mm:ss)\"}]}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Advanced Security Overview\"},\"name\":\"Advanced Security Overview\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Code Scanning Alerts

\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\\n| extend alert = todynamic(alert_s)\\n| extend url = alert.url\\n| extend repo = todynamic(repository_s)\\n| extend repository = repo.name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}],\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created') and isnotempty(commit_oid_s)\\n| extend Status = action_s\\n| count\",\"size\":4,\"title\":\"Created\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('fixed') and isnotempty(commit_oid_s)\\n| extend Status = action_s\\n| count\",\"size\":4,\"title\":\"Fixed\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('reopened') and isnotempty(commit_oid_s)\\n| extend Status = action_s\\n| count\",\"size\":4,\"title\":\"Reopened\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', \\\"fixed\\\") and isnotempty(commit_oid_s)\\n| summarize event_count=count() by tostring(action_s), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"Alert Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"created\",\"label\":\"Created\"},{\"seriesName\":\"fixed\",\"label\":\"Fixed\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let GithubPushes = githubscanaudit_CL\\n| extend EventType='Push'\\n| extend status = todynamic(action_s)\\n| extend commit = todynamic(commits_s)[0]\\n| extend added = commit.added\\n| extend modified = commit.modified\\n| extend removed = commit.removed\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories})\\n| where isnotempty(modified[0]) or isnotempty(added[0]);\\nlet CodeScanningAlerts = \\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', 'reopened') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert';\\nunion withsource=\\\"AllEvents\\\" CodeScanningAlerts, GithubPushes\\n| summarize event_count=count() by EventType, bin(TimeGenerated,1d)\\n\",\"size\":0,\"title\":\"Commit/Alert Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Push\",\"label\":\"Commits\"},{\"seriesName\":\"Code Scanning Alert\",\"label\":\"Alerts\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', \\\"appeared_in_branch\\\") and isnotempty(commit_oid_s)\\n| extend alert = todynamic(alert_s)\\n| extend Tool = alert.tool.name\\n| project TimeGenerated, Tool\\n| summarize Count = count() by tostring(Tool), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"New Alerts by Tool\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\\n| extend alert = todynamic(alert_s)\\n| extend URL = alert.html_url\\n| extend tool = alert.tool.name\\n| extend repo = todynamic(repository_s)\\n| extend repository = repo.name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend Time_To_Resolution = format_timespan(todatetime(resolved_at) - todatetime(created_at), 'dd:hh:mm:ss')\\n| project repository, URL, tool, created_at, resolved_at, Time_To_Resolution\",\"size\":0,\"title\":\"Fixed Alerts\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"labelSettings\":[{\"columnId\":\"repository\",\"label\":\"Repository\"},{\"columnId\":\"tool\",\"label\":\"Tool\"},{\"columnId\":\"created_at\",\"label\":\"Created at\"},{\"columnId\":\"resolved_at\",\"label\":\"Resolved at\"},{\"columnId\":\"Time_To_Resolution\",\"label\":\"Time to Resolution(dd:hh:mm:ss)\"}]}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', 'reopened_by_user', 'reopened') and isnotempty(commit_oid_s)\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s)\\n|extend repository = repo.full_name\\n| extend severity = alert.rule.security_severity_level\\n| where isnotempty(severity)\\n| summarize Total=count(severity), Critical=countif(severity=='critical'), High=countif(severity=='high'), Medium=countif(severity=='medium'), Low=countif(severity=='low') by tostring(repository)\\n\",\"size\":0,\"title\":\"Alerts by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Critical\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"representation\":\"redDark\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"red\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"High\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Medium\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Low\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"repository\",\"label\":\"Repository\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"severity\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"severity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"event_count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"event_count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"event_count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"event_count\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10px\",\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', 'reopened') and isnotempty(commit_oid_s)\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s)\\n| extend Tool = tostring(alert.tool.name)\\n| extend Repository = repo.full_name\\n| project Repository, Tool\\n| evaluate pivot(tostring(Tool))\\n| order by tostring(Repository) asc\",\"size\":0,\"title\":\"Alerts by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"margin\":\"10px\",\"padding\":\"20px\"}}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Code Scanning Alerts\"},\"name\":\"Code Scanning Alerts\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Secret Scanning Alerts

\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Secret Scanning Alerts\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolved')\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.resolved_at\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}],\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| extend actor = todynamic(sender_s)\\n| extend actorname = actor.login\\n| where actorname in ({Actors})\\n| count \",\"size\":4,\"title\":\"Found Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolved')\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| count \\n\",\"size\":4,\"title\":\"Fixed Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| summarize Count = count() by tostring(alertSecretType)\",\"size\":0,\"title\":\"Secrets by Type\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where isnotempty(alertSecretType)\\n| summarize Count = count() by tostring(repositoryfullname)\",\"size\":0,\"title\":\"Secrets by Repository\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created', 'resolved')\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType)\\n| summarize Count = count() by bin(TimeGenerated, 1d), action_s\",\"size\":0,\"title\":\"Secrets Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolved')\\n| extend alert = todynamic(alert_s)\\n| extend Secret_Type = alert.secret_type\\n| extend Repository = todynamic(repository_s).full_name\\n| extend Organization = todynamic(organization_s).login\\n| extend Created_at = alert.created_at\\n| extend Resolved_at = alert.resolved_at\\n| extend Time_to_Resolution= format_timespan(todatetime(Resolved_at) - todatetime(Created_at), 'dd:hh:mm:ss' )\\n| extend Resolution = case(isnotnull(alert.resolution), alert.resolution, \\\"Null\\\") \\n| extend URL = todynamic(repository_s).url \\n| where isnotempty(Secret_Type)\\n|project Secret_Type, Organization, Repository, Resolution, Time_to_Resolution\",\"size\":0,\"title\":\"Fixed Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"sortBy\":[{\"itemKey\":\"Time_to_Resolution\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Secret_Type\",\"label\":\"Secret Type\"},{\"columnId\":\"Time_to_Resolution\",\"label\":\"Time to Resolution(dd:hh:mm:ss)\"}]},\"sortBy\":[{\"itemKey\":\"Time_to_Resolution\",\"sortOrder\":2}]},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('created')\\n| extend alert = todynamic(alert_s)\\n| extend Secret_Type = alert.secret_type\\n| extend Repository = todynamic(repository_s).full_name\\n| extend Organization = todynamic(organization_s).login\\n| extend Created_at = alert.created_at\\n| extend URL = alert.html_url \\n| where isnotempty(Secret_Type)\\n| project tostring(Secret_Type), tostring(Organization), tostring(Repository), tostring(URL), tostring(Created_at)\",\"size\":0,\"title\":\"Found Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Created_at\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Secret_Type\",\"label\":\"Secret Type\"},{\"columnId\":\"Created_at\",\"label\":\"Created at\"}]},\"sortBy\":[{\"itemKey\":\"Created_at\",\"sortOrder\":2}]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Secret Scanning Alerts\"},\"name\":\"Secret Scanning Alerts\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Dependabot Alerts

\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolve')\\n| extend alert = todynamic(alert_s)\\n| extend created_at = alert.created_at \\n| extend resolved_at = alert.fixed_at\\n| extend alertexternalidentifier= alert.external_identifier\\n| where isnotempty(alertexternalidentifier)\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\\n\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}],\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| where isnotempty(alertexternalidentifier)\\n| count\",\"size\":4,\"title\":\"Created\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolve')\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| where isnotempty(alertexternalidentifier)\\n| count\",\"size\":4,\"title\":\"Resolved\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('dismiss')\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| where isnotempty(alertexternalidentifier)\\n| count\",\"size\":4,\"title\":\"Dismissed\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create', 'dismiss', 'resolve')\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| where isnotempty(alertexternalidentifier)\\n| summarize Count = count() by tostring(action_s), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"Alert Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"create\",\"label\":\"Found\"},{\"seriesName\":\"resolve\",\"label\":\"Fixed\"},{\"seriesName\":\"dismiss\",\"label\":\"Dismissed\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend EventType='RepositoryVulnerabilityAlert'\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend Repository = todynamic(repository_s).full_name\\n| where isnotempty(alertexternalidentifier)\\n| summarize Count=count() by tostring(Repository)\",\"size\":0,\"title\":\"Vulnerabilities by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend EventType='RepositoryVulnerabilityAlert'\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend Repository = todynamic(repository_s).full_name\\n| where isnotempty(alertexternalidentifier)\\n| summarize Count=count() by tostring(Severity), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"New Alerts by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('resolve', 'dismiss')\\n| extend alert = todynamic(alert_s)\\n|extend Action = todynamic(action_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend repo = todynamic(repository_s)\\n| extend Alert_URL = alert.external_reference\\n| extend Repository = repo.full_name\\n| extend created_at = alert.created_at\\n| extend resolved_at = case(isnotnull(alert.fixed_at), alert.fixed_at, alert.dismissed_at)\\n| extend Time_to_Resolution = format_timespan(todatetime(resolved_at) - todatetime(created_at), 'dd:hh:mm:ss')\\n| where isnotempty(alertexternalidentifier)\\n| project Action, Repository, Severity, Alert_URL, Time_to_Resolution\",\"size\":0,\"title\":\"Fixed Alerts\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert_URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Time_to_Resolution\",\"label\":\"Time to Resolution(dd:hh:mm:ss)\"}]},\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":2}]},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| where repositoryfullname in ({Repositories}) and action_s in ('create')\\n| extend alert = todynamic(alert_s)\\n| extend Action = todynamic(action_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend repo = todynamic(repository_s)\\n| extend Alert_URL = alert.external_reference\\n| extend Repository = repo.full_name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend Time_to_Resolution = todatetime(resolved_at) - todatetime(created_at)\\n| where isnotempty(alertexternalidentifier)\\n| summarize Total=count(Severity), Critical=countif(Severity=='critical'), High=countif(Severity=='high'), Medium=countif(Severity=='moderate'), Low=countif(Severity=='low') by tostring(Repository)\",\"size\":0,\"title\":\"Alerts by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Critical\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redDark\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"High\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Medium\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Low\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Dependabot Alerts\"},\"name\":\"Dependabot Alerts\",\"styleSettings\":{\"showBorder\":true}}],\"fallbackResourceIds\":[],\"fromTemplateId\":\"sentinel-UserWorkbook-alexdemichieli-github-update-1\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "GitHub Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", + "description": "@{workbookKey=UserWorkbook-alexdemichieli-github-update-1; logoFileName=GitHub.svg; description=Gain insights to GitHub activities that may be interesting for security.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=GitHub Security; templateRelativePath=GitHubAdvancedSecurity.json; subtitle=; provider=Microsoft}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", "source": { "kind": "Solution", "name": "GitHub", @@ -704,6 +1055,19 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "GitHubAuditLogPolling_CL", + "kind": "DataType" + }, + { + "contentId": "GitHubEcAuditLogPolling", + "kind": "DataConnector" + } + ] } } } @@ -714,79 +1078,57 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId3')]", - "contentKind": "AnalyticsRule", - "displayName": "(Preview) GitHub - Oauth application - a client secret was removed", - "contentProductId": "[variables('_analyticRulecontentProductId3')]", - "id": "[variables('_analyticRulecontentProductId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName4')]", + "name": "[variables('workbookTemplateSpecName2')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - Repository was created_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "GitHubWorkbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", + "contentVersion": "[variables('workbookVersion2')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId4')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId2')]", "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "" + }, "properties": { - "description": "Detect activities when a repository was created. This query runs every day and its severity is Medium.", - "displayName": "(Preview) GitHub - Repository was created", - "enabled": false, - "query": "GitHubAuditData\n| where Action == \"repo.create\"\n| extend AccountCustomEntity = Actor\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": "[variables('TemplateEmptyArray')]", - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ] - } - ] + "displayName": "[parameters('workbook2-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Topics and repository filters are mutually exlusive. To filter for topics, deselect all repositories and vice versa\",\"style\":\"warning\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f80bd5e4-0e9d-4dc7-b999-110328e5b08e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"isGlobal\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"87b3e22f-fc5b-4c56-a449-372be28ec152\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Orgs\",\"type\":5,\"description\":\"Org selector\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"githubscanaudit_CL \\n| extend organization = todynamic(organization_s).login\\n| distinct tostring(organization)\\n| where isnotempty(organization)\\n\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"dsp-testing\"]},{\"id\":\"1673856e-da45-4e3b-8c00-9790024bea39\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Repositories\",\"type\":5,\"description\":\"Repository selector\",\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"githubscanaudit_CL \\n| extend repository = todynamic(repository_s).full_name\\n| extend organization = todynamic(organization_s).login\\n| where isnotempty(repository) and tostring(organization) in ({Orgs})\\n| distinct tostring(repository)\\n\\n\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[]},{\"id\":\"10bfa980-1673-4a8c-9d59-fe12a24e297c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Topics\",\"type\":5,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let selection = dynamic([{Repositories}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend topics = repository.topics\\n| extend org = todynamic(organization_s)\\n| extend orgName = org.login\\n| extend reposAreNotSelected = array_length((selection)) == 0\\n| where topics <> \\\"[]\\\" and orgName in ({Orgs}) //and reposAreNotSelected\\n| mv-expand topics\\n| distinct tostring(topics)\\n| project topics\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"b7b61394-d7c7-4a2a-9e90-5d17ce94f8d8\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Advanced Security Overview\",\"subTarget\":\"Advanced Security Overview\",\"style\":\"link\"},{\"id\":\"7b984311-578d-4162-8e03-1c82cfa37519\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Code Scanning Alerts\",\"subTarget\":\"Code Scanning Alerts\",\"style\":\"link\"},{\"id\":\"03316284-9c39-4d15-853b-568d16d264f5\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Secret Scanning Alerts\",\"subTarget\":\"Secret Scanning Alerts\",\"style\":\"link\"},{\"id\":\"8853be7b-58d0-45cc-89c3-1a9897f01b19\",\"cellValue\":\"SelectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Dependabot Alerts\",\"subTarget\":\"Dependabot Alerts\",\"style\":\"link\"}]},\"customWidth\":\"50\",\"name\":\"links - 5\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Advanced Security Overview

\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend Severity = tostring(alert.severity)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('create') and isnotempty(alertexternalidentifier)\\n| project EventType, Severity, orgFullName;\\n\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Severity = tostring(alert.rule.security_severity_level)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(commit_oid_s) and isnotempty(Severity) \\n| project EventType, Severity, orgFullName, repositoryfullname;\\n\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend Severity = \\\"high\\\"\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(alertSecretType)\\n| project EventType, Severity, orgFullName, repositoryfullname;\\n union withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n| summarize Count = count() by tostring(Severity)\",\"size\":0,\"title\":\"Open Alerts By Severity\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"sortBy\":[],\"chartSettings\":{\"group\":\"Severity\",\"createOtherGroup\":\"\",\"seriesLabelSettings\":[{\"seriesName\":\"high\",\"label\":\"High\",\"color\":\"redBright\"},{\"seriesName\":\"moderate\",\"label\":\"Moderate\",\"color\":\"orange\"},{\"seriesName\":\"medium\",\"label\":\"Medium\",\"color\":\"brown\"},{\"seriesName\":\"critical\",\"label\":\"Critical\",\"color\":\"redDark\"},{\"seriesName\":\"low\",\"label\":\"Low\",\"color\":\"yellow\"}]}},\"customWidth\":\"25\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create');\\n\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend Severity = alert.rule.security_severity_level\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(commit_oid_s);\\n\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('created');\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n|summarize Count = count() by tostring(repositoryfullname)\",\"size\":0,\"title\":\"Open Alerts by Repository\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"repositoryfullname\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"repositoryfullname\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\n\\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend Severity = alert.severity\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| project EventType, Severity;\\n\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Severity = alert.rule.security_severity_level\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(commit_oid_s)\\n| project EventType, Severity;\\n\\nlet SecretScanningAlerts = githubscanaudit_CL \\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend Severity = \\\"High\\\"\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(alertSecretType)\\n| project EventType, Severity;\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n|summarize Count = count() by tostring(EventType)\",\"size\":0,\"title\":\"Open Alerts by Type\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\n\\nlet RepositoryVulnerabilityAlerts = githubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s) \\n| extend Repository = repository.full_name \\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('dismiss', 'resolve') and isnotempty(alertexternalidentifier);\\n\\nlet CodeScanningAlerts = githubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Repository = repository.full_name \\n| extend Severity = alert.rule.security_severity_level\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s);\\n\\nlet SecretScanningAlerts = githubscanaudit_CL\\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Repository = repository.full_name \\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('resolved') and isnotempty(alertSecretType);\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\\n| count\",\"size\":4,\"title\":\"Resolved Alert Count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 8 - Copy - Copy\",\"styleSettings\":{\"padding\":\"50px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\nlet RepositoryVulnerabilityAlerts = \\ngithubscanaudit_CL \\n| extend EventType='Dependabot Alert'\\n| extend repository = todynamic(repository_s)\\n| extend Repository = repository.full_name \\n| extend alert = todynamic(alert_s) \\n| extend alertexternalidentifier = alert.external_identifier\\n| extend Severity = alert.severity\\n| extend id = alert.ghsa_id \\n| extend Status = action_s\\n| extend Reason = alert.affected_package_name\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| extend Age = now() - todatetime(Created_at)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('create', 'dismiss', 'resolve') and isnotempty(alertexternalidentifier)\\n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\n\\nlet CodeScanningAlerts =\\ngithubscanaudit_CL \\n| extend EventType='Code Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend Repository = repository.full_name \\n| extend alert = todynamic(alert_s)\\n| extend Severity = alert.rule.security_severity_level\\n| extend Reason = alert.rule.name\\n| extend id = alert.rule.id\\n| extend Severity = alert.rule.security_severity_level\\n| extend Status = action_s\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| extend Age = now() - todatetime(Created_at)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s) and isnotempty(Severity) \\n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\n\\nlet SecretScanningAlerts = \\ngithubscanaudit_CL \\n| extend EventType='Secret Scanning Alert'\\n| extend repository = todynamic(repository_s)\\n| extend Repository = repository.full_name \\n| extend alert = todynamic(alert_s)\\n| extend Severity = \\\"high\\\"\\n| extend Reason = alert.secret_type \\n| extend id = alert.number\\n| extend alertSecretType = alert.secret_type\\n| extend Status = action_s\\n| extend Created_at = alert.created_at\\n| extend Number = alert.number\\n| extend Age = now() - todatetime(Created_at)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'resolved', 'reopened') and isnotempty(alertSecretType)\\n| project Repository, Reason, id, EventType, tostring(Severity), Status, Created_at, Number, format_timespan(Age, 'dd:hh:mm:ss');\\nunion withsource=\\\"AllEvents\\\" RepositoryVulnerabilityAlerts, CodeScanningAlerts, SecretScanningAlerts\",\"size\":0,\"title\":\"Alert Details\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AllEvents\",\"formatter\":5},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"high\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"critical\",\"representation\":\"redDark\"},{\"operator\":\"contains\",\"thresholdValue\":\"moderate\",\"representation\":\"red\"},{\"operator\":\"contains\",\"thresholdValue\":\"medium\",\"representation\":\"orange\"},{\"operator\":\"contains\",\"thresholdValue\":\"low\",\"representation\":\"yellow\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":5000,\"filter\":true}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Advanced Security Overview\"},\"name\":\"Advanced Security Overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Code Scanning Alerts

\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend alert = todynamic(alert_s)\\n| extend url = alert.url\\n| extend repo = todynamic(repository_s)\\n| extend repository = repo.name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| where action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"sortBy\":[],\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created') and isnotempty(commit_oid_s)\\n| count\",\"size\":4,\"title\":\"Created\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('fixed') and isnotempty(commit_oid_s)\\n| count\",\"size\":4,\"title\":\"Fixed\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('reopened') and isnotempty(commit_oid_s)\\n| count\",\"size\":4,\"title\":\"Reopened\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', \\\"fixed\\\") and isnotempty(commit_oid_s)\\n| summarize event_count=count() by tostring(action_s), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"Alert Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"created\",\"label\":\"Created\"},{\"seriesName\":\"fixed\",\"label\":\"Fixed\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\nlet GithubPushes = githubscanaudit_CL\\n| extend EventType='Push'\\n| extend status = todynamic(action_s)\\n| extend commit = todynamic(commits_s)[0]\\n| extend added = commit.added\\n| extend modified = commit.modified\\n| extend removed = commit.removed\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(modified[0]) or isnotempty(added[0]);\\nlet CodeScanningAlerts = \\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'reopened') and isnotempty(commit_oid_s)\\n| extend EventType='Code Scanning Alert';\\nunion withsource=\\\"AllEvents\\\" CodeScanningAlerts, GithubPushes\\n| summarize event_count=count() by EventType, bin(TimeGenerated,1d)\\n\",\"size\":0,\"title\":\"Commit/Alert Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Push\",\"label\":\"Commits\"},{\"seriesName\":\"Code Scanning Alert\",\"label\":\"Alerts\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Tool = alert.tool.name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', \\\"appeared_in_branch\\\") and isnotempty(commit_oid_s)\\n| project TimeGenerated, Tool\\n| summarize Count = count() by tostring(Tool), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"New Alerts by Tool\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend topics = repository.topics\\n| extend alert = todynamic(alert_s)\\n| extend URL = alert.html_url\\n| extend tool = alert.tool.name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend Time_To_Resolution = format_timespan(todatetime(resolved_at) - todatetime(created_at), 'dd:hh:mm:ss')\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('closed_by_user', 'fixed') and isnotempty(commit_oid_s)\\n| project repository, URL, tool, created_at, resolved_at, Time_To_Resolution\",\"size\":0,\"title\":\"Fixed Alerts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}]},\"sortBy\":[]},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend severity = alert.rule.security_severity_level\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'reopened_by_user', 'reopened') and isnotempty(commit_oid_s) and isnotempty(severity)\\n| summarize Total=count(severity), Critical=countif(severity=='critical'), High=countif(severity=='high'), Medium=countif(severity=='medium'), Low=countif(severity=='low') by tostring(repositoryfullname)\\n\",\"size\":0,\"title\":\"Alerts by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Critical\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"representation\":\"redDark\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"red\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"High\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Medium\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Low\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Total\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Total\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"severity\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"severity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"event_count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"event_count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"event_count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"event_count\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10px\",\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend alert = todynamic(alert_s)\\n| extend repo = todynamic(repository_s)\\n| extend Tool = tostring(alert.tool.name)\\n| extend Repository = repo.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (Repository in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where action_s in ('created', 'reopened') and isnotempty(commit_oid_s)\\n| project Repository, Tool\\n| evaluate pivot(tostring(Tool))\\n| order by tostring(Repository) asc\",\"size\":0,\"title\":\"Alerts by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"sortBy\":[{\"itemKey\":\"Grype\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Grype\",\"sortOrder\":2}]},\"customWidth\":\"45\",\"name\":\"query - 1\",\"styleSettings\":{\"margin\":\"10px\",\"padding\":\"20px\"}}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Code Scanning Alerts\"},\"name\":\"Code Scanning Alerts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Secret Scanning Alerts

\"},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Secret Scanning Alerts\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.resolved_at\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType)\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}],\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\n\\nlet repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| where isnotempty(alertSecretType) and action_s in ('created')\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| project repositoryfullname, topic, repoTopics, Out, areTopicsSelected\\n| count\\n\",\"size\":4,\"title\":\"Found Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}],\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\n\\nlet repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n| extend Out = topic in (repoTopics)\\n| summarize topic = make_list(topic), Out= make_list(Out)\\n| project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('resolved')\\n| count\",\"size\":4,\"title\":\"Fixed Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"33\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('created')\\n| summarize Count = count() by tostring(alertSecretType)\",\"size\":0,\"title\":\"Secrets by Type\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('created')\\n| summarize Count = count() by tostring(repositoryfullname)\",\"size\":0,\"title\":\"Secrets by Repository\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertSecretType = alert.secret_type\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertSecretType) and action_s in ('created', 'resolved')\\n| summarize Count = count() by bin(TimeGenerated, 1d), action_s\",\"size\":0,\"title\":\"Secrets Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Secret_Type = alert.secret_type\\n| extend Repository = todynamic(repository_s).full_name\\n| extend Organization = todynamic(organization_s).login\\n| extend Created_at = alert.created_at\\n| extend Resolved_at = alert.resolved_at\\n| extend Time_to_Resolution= format_timespan(todatetime(Resolved_at) - todatetime(Created_at), 'dd:hh:mm:ss' )\\n| extend Resolution = case(isnotnull(alert.resolution), alert.resolution, \\\"Null\\\") \\n| extend URL = todynamic(repository_s).url\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(Secret_Type) and action_s in ('resolved')\\n|project Secret_Type, Organization, Repository, Resolution, Time_to_Resolution\",\"size\":0,\"title\":\"Fixed Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"sortBy\":[{\"itemKey\":\"Time_to_Resolution\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Secret_Type\",\"label\":\"Secret Type\"},{\"columnId\":\"Time_to_Resolution\",\"label\":\"Time to Resolution(dd:hh:mm:ss)\"}]},\"sortBy\":[{\"itemKey\":\"Time_to_Resolution\",\"sortOrder\":2}]},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Secret_Type = alert.secret_type\\n| extend Repository = todynamic(repository_s).full_name\\n| extend Organization = todynamic(organization_s).login\\n| extend Created_at = alert.created_at\\n| extend URL = alert.html_url\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(Secret_Type) and action_s in ('created')\\n| project tostring(Secret_Type), tostring(Organization), tostring(Repository), tostring(URL), tostring(Created_at)\",\"size\":0,\"title\":\"Found Secrets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Created_at\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Secret_Type\",\"label\":\"Secret Type\"},{\"columnId\":\"Created_at\",\"label\":\"Created at\"}]},\"sortBy\":[{\"itemKey\":\"Created_at\",\"sortOrder\":2}]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Secret Scanning Alerts\"},\"name\":\"Secret Scanning Alerts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"

Dependabot Alerts

\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend alert = todynamic(alert_s)\\n| extend created_at = alert.created_at \\n| extend resolved_at = alert.fixed_at\\n| extend alertexternalidentifier= alert.external_identifier\\n| extend day = todatetime(resolved_at) - todatetime(created_at)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('resolve')\\n| summarize format_timespan(avg(day), 'dd:hh:mm:ss')\\n\",\"size\":4,\"title\":\"Mean Time to Resolution (dd:hh:mm:ss)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"MTTR\",\"sortOrder\":2}],\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| count\",\"size\":4,\"title\":\"Created\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"sortBy\":[],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('resolve')\\n| count\",\"size\":4,\"title\":\"Resolved\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"sortBy\":[],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Status = action_s\\n| extend alertexternalidentifier= alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('dismiss')\\n| count\",\"size\":4,\"title\":\"Dismissed\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Status\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":1}]},\"sortBy\":[],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Status\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false,\"size\":\"auto\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}},\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"25\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create', 'dismiss', 'resolve')\\n| summarize Count = count() by tostring(action_s), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"Alert Found/Fixed Ratio\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"create\",\"label\":\"Found\"},{\"seriesName\":\"resolve\",\"label\":\"Fixed\"},{\"seriesName\":\"dismiss\",\"label\":\"Dismissed\"}]}},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend Repository = todynamic(repository_s).full_name\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| summarize Count=count() by tostring(Repository)\",\"size\":0,\"title\":\"Vulnerabilities by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"event_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend Repository = todynamic(repository_s).full_name\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| summarize Count=count() by tostring(Severity), bin(TimeGenerated,1d)\",\"size\":0,\"title\":\"New Alerts by Severity\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"33\",\"name\":\"query - 7 - Copy\",\"styleSettings\":{\"padding\":\"20px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Action = todynamic(action_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend repo = todynamic(repository_s)\\n| extend Alert_URL = alert.external_reference\\n| extend Repository = repo.full_name\\n| extend created_at = alert.created_at\\n| extend resolved_at = case(isnotnull(alert.fixed_at), alert.fixed_at, alert.dismissed_at)\\n| extend Time_to_Resolution = format_timespan(todatetime(resolved_at) - todatetime(created_at), 'dd:hh:mm:ss')\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('resolve', 'dismiss')\\n| project Action, Repository, Severity, Alert_URL, Time_to_Resolution\",\"size\":0,\"title\":\"Fixed Alerts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert_URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Time_to_Resolution\",\"label\":\"Time to Resolution(dd:hh:mm:ss)\"}]},\"sortBy\":[{\"itemKey\":\"Repository\",\"sortOrder\":2}]},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let repositoriesList = dynamic([{Repositories}]);\\nlet repoTopics = dynamic([{Topics}]);\\ngithubscanaudit_CL \\n| extend repository = todynamic(repository_s)\\n| extend repositoryfullname = repository.full_name\\n| extend alert = todynamic(alert_s)\\n| extend Action = todynamic(action_s)\\n| extend alertexternalidentifier = alert.external_identifier \\n| extend Severity = alert.severity\\n| extend repo = todynamic(repository_s)\\n| extend Alert_URL = alert.external_reference\\n| extend Repository = repo.full_name\\n| extend created_at = alert.created_at\\n| extend resolved_at = alert.fixed_at\\n| extend Time_to_Resolution = todatetime(resolved_at) - todatetime(created_at)\\n| extend org = todynamic(organization_s)\\n| extend orgFullName = org.login\\n| extend topic = repository.topics\\n| mv-apply repoTopics, topic on (\\n mv-expand topic\\n | extend Out = topic in (repoTopics)\\n | summarize topic = make_list(topic), Out= make_list(Out)\\n | project Out, topic\\n)\\n| extend areReposSelected = array_length((repositoriesList)) == 0\\n| extend areTopicsSelected = array_length((repoTopics)) > 0\\n| where\\n (repositoryfullname in (repositoriesList) and orgFullName in ({Orgs})) or\\n (set_has_element(Out, areTopicsSelected) and areTopicsSelected)\\n| where isnotempty(alertexternalidentifier) and action_s in ('create')\\n| summarize Total=count(Severity), Critical=countif(Severity=='critical'), High=countif(Severity=='high'), Medium=countif(Severity=='moderate'), Low=countif(Severity=='low') by tostring(Repository)\",\"size\":0,\"title\":\"Alerts by Repo\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Critical\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redDark\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"High\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Medium\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Low\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"Total\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Total\",\"sortOrder\":2}]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"SelectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Dependabot Alerts\"},\"name\":\"Dependabot Alerts\"}],\"fallbackResourceIds\":[],\"fromTemplateId\":\"GitHubAdvancedSecurity - topics\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", "properties": { - "description": "GitHub Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", + "description": ".description", + "parentId": "[variables('workbookId2')]", + "contentId": "[variables('_workbookContentId2')]", + "kind": "Workbook", + "version": "[variables('workbookVersion2')]", "source": { "kind": "Solution", "name": "GitHub", @@ -811,41 +1153,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId4')]", - "contentKind": "AnalyticsRule", - "displayName": "(Preview) GitHub - Repository was created", - "contentProductId": "[variables('_analyticRulecontentProductId4')]", - "id": "[variables('_analyticRulecontentProductId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('_workbookContentId2')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook2-name')]", + "contentProductId": "[variables('_workbookcontentProductId2')]", + "id": "[variables('_workbookcontentProductId2')]", + "version": "[variables('workbookVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName5')]", + "name": "[variables('analyticRuleTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - Repository was destroyed_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "(Preview) GitHub - A payment method was removed_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", + "contentVersion": "[variables('analyticRuleVersion1')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId5')]", + "name": "[variables('analyticRulecontentId1')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detect activities when a repository was destroyed. This query runs every day and its severity is Medium.", - "displayName": "(Preview) GitHub - Repository was destroyed", + "description": "Detect activities when a payment method was removed. This query runs every day and its severity is Medium.", + "displayName": "(Preview) GitHub - A payment method was removed", "enabled": false, - "query": "GitHubAuditData\n| where Action == \"repo.destroy\"\n| extend AccountCustomEntity = Actor\n", + "query": "GitHubAuditData\n| where Action == \"payment_method.remove\"\n| extend AccountCustomEntity = Actor\n", "queryFrequency": "P1D", "queryPeriod": "P7D", "severity": "Medium", @@ -863,13 +1205,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -877,13 +1219,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", "properties": { - "description": "GitHub Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", + "description": "GitHub Analytics Rule 1", + "parentId": "[variables('analyticRuleId1')]", + "contentId": "[variables('_analyticRulecontentId1')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", + "version": "[variables('analyticRuleVersion1')]", "source": { "kind": "Solution", "name": "GitHub", @@ -908,43 +1250,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId5')]", + "contentId": "[variables('_analyticRulecontentId1')]", "contentKind": "AnalyticsRule", - "displayName": "(Preview) GitHub - Repository was destroyed", - "contentProductId": "[variables('_analyticRulecontentProductId5')]", - "id": "[variables('_analyticRulecontentProductId5')]", - "version": "[variables('analyticRuleVersion5')]" + "displayName": "(Preview) GitHub - A payment method was removed", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName6')]", + "name": "[variables('analyticRuleTemplateSpecName2')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - Two Factor Authentication Disabled in GitHub_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "(Preview) GitHub - Activities from Infrequent Country_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", + "contentVersion": "[variables('analyticRuleVersion2')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId6')]", + "name": "[variables('analyticRulecontentId2')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. ", - "displayName": "GitHub Two Factor Auth Disable", + "description": "Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.", + "displayName": "GitHub Activites from a New Country", "enabled": false, - "query": "GitHubAuditData\n| where Action == \"org.disable_two_factor_requirement\"\n| project TimeGenerated, Action, Actor, Country, Repository\n| extend AccountCustomEntity = Actor\n", + "query": "let LearningPeriod = 7d;\nlet RunTime = 1h;\nlet StartTime = 1h;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet GitHubCountryCodeLogs = (GitHubAuditData\n| where Country != \"\");\n GitHubCountryCodeLogs\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\n| summarize makeset(Country) by Actor\n| join kind=innerunique (\n GitHubCountryCodeLogs\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n | distinct Country, Actor, TimeGenerated\n) on Actor \n| where set_Country !contains Country\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\n", "queryFrequency": "P1D", - "queryPeriod": "P1D", + "queryPeriod": "P7D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -953,20 +1295,20 @@ "status": "Available", "requiredDataConnectors": "[variables('TemplateEmptyArray')]", "tactics": [ - "DefenseEvasion" + "InitialAccess" ], "techniques": [ - "T1562" + "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -974,13 +1316,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", "properties": { - "description": "GitHub Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", + "description": "GitHub Analytics Rule 2", + "parentId": "[variables('analyticRuleId2')]", + "contentId": "[variables('_analyticRulecontentId2')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", + "version": "[variables('analyticRuleVersion2')]", "source": { "kind": "Solution", "name": "GitHub", @@ -1005,41 +1347,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId6')]", + "contentId": "[variables('_analyticRulecontentId2')]", "contentKind": "AnalyticsRule", - "displayName": "GitHub Two Factor Auth Disable", - "contentProductId": "[variables('_analyticRulecontentProductId6')]", - "id": "[variables('_analyticRulecontentProductId6')]", - "version": "[variables('analyticRuleVersion6')]" + "displayName": "GitHub Activites from a New Country", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName7')]", + "name": "[variables('analyticRuleTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - User visibility Was changed_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "(Preview) GitHub - Oauth application - a client secret was removed_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion7')]", + "contentVersion": "[variables('analyticRuleVersion3')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId7')]", + "name": "[variables('analyticRulecontentId3')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detect activities when a user visibility Was changed. This query runs every day and its severity is Medium.", - "displayName": "(Preview) GitHub - User visibility Was changed", + "description": "Detect activities when a client secret was removed. This query runs every day and its severity is Medium.", + "displayName": "(Preview) GitHub - Oauth application - a client secret was removed", "enabled": false, - "query": "GitHubAuditData\n| where Visibility != PreviousVisibility\n| project Actor, PreviousVisibility, Visibility\n| extend AccountCustomEntity = Actor\n", + "query": "GitHubAuditData\n| where Action == \"oauth_application.remove_client_secret\"\n| extend AccountCustomEntity = Actor\n", "queryFrequency": "P1D", "queryPeriod": "P7D", "severity": "Medium", @@ -1057,13 +1399,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -1071,13 +1413,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", "properties": { - "description": "GitHub Analytics Rule 7", - "parentId": "[variables('analyticRuleId7')]", - "contentId": "[variables('_analyticRulecontentId7')]", + "description": "GitHub Analytics Rule 3", + "parentId": "[variables('analyticRuleId3')]", + "contentId": "[variables('_analyticRulecontentId3')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion7')]", + "version": "[variables('analyticRuleVersion3')]", "source": { "kind": "Solution", "name": "GitHub", @@ -1102,41 +1444,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId7')]", + "contentId": "[variables('_analyticRulecontentId3')]", "contentKind": "AnalyticsRule", - "displayName": "(Preview) GitHub - User visibility Was changed", - "contentProductId": "[variables('_analyticRulecontentProductId7')]", - "id": "[variables('_analyticRulecontentProductId7')]", - "version": "[variables('analyticRuleVersion7')]" + "displayName": "(Preview) GitHub - Oauth application - a client secret was removed", + "contentProductId": "[variables('_analyticRulecontentProductId3')]", + "id": "[variables('_analyticRulecontentProductId3')]", + "version": "[variables('analyticRuleVersion3')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName8')]", + "name": "[variables('analyticRuleTemplateSpecName4')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - User was added to the organization_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "(Preview) GitHub - Repository was created_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion8')]", + "contentVersion": "[variables('analyticRuleVersion4')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId8')]", + "name": "[variables('analyticRulecontentId4')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detect activities when a user was added to the organization. This query runs every day and its severity is Medium.", - "displayName": "(Preview) GitHub - User was added to the organization", + "description": "Detect activities when a repository was created. This query runs every day and its severity is Medium.", + "displayName": "(Preview) GitHub - Repository was created", "enabled": false, - "query": "GitHubAuditData\n| where Action == \"org.add_member\"\n| project Actor, Action\n| extend AccountCustomEntity = Actor\n", + "query": "GitHubAuditData\n| where Action == \"repo.create\"\n| extend AccountCustomEntity = Actor\n", "queryFrequency": "P1D", "queryPeriod": "P7D", "severity": "Medium", @@ -1154,13 +1496,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -1168,13 +1510,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", "properties": { - "description": "GitHub Analytics Rule 8", - "parentId": "[variables('analyticRuleId8')]", - "contentId": "[variables('_analyticRulecontentId8')]", + "description": "GitHub Analytics Rule 4", + "parentId": "[variables('analyticRuleId4')]", + "contentId": "[variables('_analyticRulecontentId4')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion8')]", + "version": "[variables('analyticRuleVersion4')]", "source": { "kind": "Solution", "name": "GitHub", @@ -1199,41 +1541,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId8')]", + "contentId": "[variables('_analyticRulecontentId4')]", "contentKind": "AnalyticsRule", - "displayName": "(Preview) GitHub - User was added to the organization", - "contentProductId": "[variables('_analyticRulecontentProductId8')]", - "id": "[variables('_analyticRulecontentProductId8')]", - "version": "[variables('analyticRuleVersion8')]" + "displayName": "(Preview) GitHub - Repository was created", + "contentProductId": "[variables('_analyticRulecontentProductId4')]", + "id": "[variables('_analyticRulecontentProductId4')]", + "version": "[variables('analyticRuleVersion4')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName9')]", + "name": "[variables('analyticRuleTemplateSpecName5')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - User was blocked_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "(Preview) GitHub - Repository was destroyed_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion9')]", + "contentVersion": "[variables('analyticRuleVersion5')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId9')]", + "name": "[variables('analyticRulecontentId5')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detect activities when a user was blocked on the repository. This query runs every day and its severity is Medium.", - "displayName": "(Preview) GitHub - User was blocked", + "description": "Detect activities when a repository was destroyed. This query runs every day and its severity is Medium.", + "displayName": "(Preview) GitHub - Repository was destroyed", "enabled": false, - "query": "GitHubAuditData\n| where Action == \"org.block_user\"\n| project Actor, Action \n| extend AccountCustomEntity = Actor\n", + "query": "GitHubAuditData\n| where Action == \"repo.destroy\"\n| extend AccountCustomEntity = Actor\n", "queryFrequency": "P1D", "queryPeriod": "P7D", "severity": "Medium", @@ -1251,13 +1593,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -1265,13 +1607,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", "properties": { - "description": "GitHub Analytics Rule 9", - "parentId": "[variables('analyticRuleId9')]", - "contentId": "[variables('_analyticRulecontentId9')]", + "description": "GitHub Analytics Rule 5", + "parentId": "[variables('analyticRuleId5')]", + "contentId": "[variables('_analyticRulecontentId5')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion9')]", + "version": "[variables('analyticRuleVersion5')]", "source": { "kind": "Solution", "name": "GitHub", @@ -1296,43 +1638,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId9')]", + "contentId": "[variables('_analyticRulecontentId5')]", "contentKind": "AnalyticsRule", - "displayName": "(Preview) GitHub - User was blocked", - "contentProductId": "[variables('_analyticRulecontentProductId9')]", - "id": "[variables('_analyticRulecontentProductId9')]", - "version": "[variables('analyticRuleVersion9')]" + "displayName": "(Preview) GitHub - Repository was destroyed", + "contentProductId": "[variables('_analyticRulecontentProductId5')]", + "id": "[variables('_analyticRulecontentProductId5')]", + "version": "[variables('analyticRuleVersion5')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName10')]", + "name": "[variables('analyticRuleTemplateSpecName6')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - User was invited to the repository_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "(Preview) GitHub - Two Factor Authentication Disabled in GitHub_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion10')]", + "contentVersion": "[variables('analyticRuleVersion6')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId10')]", + "name": "[variables('analyticRulecontentId6')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detect activities when a user was invited to the repository. This query runs every day and its severity is Medium.", - "displayName": "(Preview) GitHub - User was invited to the repository", + "description": "Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. ", + "displayName": "GitHub Two Factor Auth Disable", "enabled": false, - "query": "GitHubAuditData \n| where Action == \"org.invite_member\"\n| project Actor, Action\n| extend AccountCustomEntity = Actor\n", + "query": "GitHubAuditData\n| where Action == \"org.disable_two_factor_requirement\"\n| project TimeGenerated, Action, Actor, Country, Repository\n| extend AccountCustomEntity = Actor\n", "queryFrequency": "P1D", - "queryPeriod": "P7D", + "queryPeriod": "P1D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -1341,20 +1683,20 @@ "status": "Available", "requiredDataConnectors": "[variables('TemplateEmptyArray')]", "tactics": [ - "InitialAccess" + "DefenseEvasion" ], "techniques": [ - "T1078" + "T1562" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -1362,13 +1704,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", "properties": { - "description": "GitHub Analytics Rule 10", - "parentId": "[variables('analyticRuleId10')]", - "contentId": "[variables('_analyticRulecontentId10')]", + "description": "GitHub Analytics Rule 6", + "parentId": "[variables('analyticRuleId6')]", + "contentId": "[variables('_analyticRulecontentId6')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion10')]", + "version": "[variables('analyticRuleVersion6')]", "source": { "kind": "Solution", "name": "GitHub", @@ -1393,41 +1735,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId10')]", + "contentId": "[variables('_analyticRulecontentId6')]", "contentKind": "AnalyticsRule", - "displayName": "(Preview) GitHub - User was invited to the repository", - "contentProductId": "[variables('_analyticRulecontentProductId10')]", - "id": "[variables('_analyticRulecontentProductId10')]", - "version": "[variables('analyticRuleVersion10')]" + "displayName": "GitHub Two Factor Auth Disable", + "contentProductId": "[variables('_analyticRulecontentProductId6')]", + "id": "[variables('_analyticRulecontentProductId6')]", + "version": "[variables('analyticRuleVersion6')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName11')]", + "name": "[variables('analyticRuleTemplateSpecName7')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - pull request was created_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "(Preview) GitHub - User visibility Was changed_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion11')]", + "contentVersion": "[variables('analyticRuleVersion7')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId11')]", + "name": "[variables('analyticRulecontentId7')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detect activities when a pull request was created. This query runs every day and its severity is Medium.", - "displayName": "(Preview) GitHub - pull request was created", + "description": "Detect activities when a user visibility Was changed. This query runs every day and its severity is Medium.", + "displayName": "(Preview) GitHub - User visibility Was changed", "enabled": false, - "query": "GitHubAuditData \n| where Action == \"pull_request.create\"\n| project Actor, Action\n| extend AccountCustomEntity = Actor\n", + "query": "GitHubAuditData\n| where Visibility != PreviousVisibility\n| project Actor, PreviousVisibility, Visibility\n| extend AccountCustomEntity = Actor\n", "queryFrequency": "P1D", "queryPeriod": "P7D", "severity": "Medium", @@ -1445,13 +1787,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -1459,13 +1801,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", "properties": { - "description": "GitHub Analytics Rule 11", - "parentId": "[variables('analyticRuleId11')]", - "contentId": "[variables('_analyticRulecontentId11')]", + "description": "GitHub Analytics Rule 7", + "parentId": "[variables('analyticRuleId7')]", + "contentId": "[variables('_analyticRulecontentId7')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion11')]", + "version": "[variables('analyticRuleVersion7')]", "source": { "kind": "Solution", "name": "GitHub", @@ -1490,41 +1832,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId11')]", + "contentId": "[variables('_analyticRulecontentId7')]", "contentKind": "AnalyticsRule", - "displayName": "(Preview) GitHub - pull request was created", - "contentProductId": "[variables('_analyticRulecontentProductId11')]", - "id": "[variables('_analyticRulecontentProductId11')]", - "version": "[variables('analyticRuleVersion11')]" + "displayName": "(Preview) GitHub - User visibility Was changed", + "contentProductId": "[variables('_analyticRulecontentProductId7')]", + "id": "[variables('_analyticRulecontentProductId7')]", + "version": "[variables('analyticRuleVersion7')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName12')]", + "name": "[variables('analyticRuleTemplateSpecName8')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "(Preview) GitHub - pull request was merged_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "(Preview) GitHub - User was added to the organization_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion12')]", + "contentVersion": "[variables('analyticRuleVersion8')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId12')]", + "name": "[variables('analyticRulecontentId8')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detect activities when a pull request was merged. This query runs every day and its severity is Medium.", - "displayName": "(Preview) GitHub - pull request was merged", + "description": "Detect activities when a user was added to the organization. This query runs every day and its severity is Medium.", + "displayName": "(Preview) GitHub - User was added to the organization", "enabled": false, - "query": "GitHubAuditData\n| where Action == \"pull_request.merge\"\n| project Actor, Action\n| extend AccountCustomEntity = Actor\n", + "query": "GitHubAuditData\n| where Action == \"org.add_member\"\n| project Actor, Action\n| extend AccountCustomEntity = Actor\n", "queryFrequency": "P1D", "queryPeriod": "P7D", "severity": "Medium", @@ -1542,13 +1884,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -1556,13 +1898,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", "properties": { - "description": "GitHub Analytics Rule 12", - "parentId": "[variables('analyticRuleId12')]", - "contentId": "[variables('_analyticRulecontentId12')]", + "description": "GitHub Analytics Rule 8", + "parentId": "[variables('analyticRuleId8')]", + "contentId": "[variables('_analyticRulecontentId8')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion12')]", + "version": "[variables('analyticRuleVersion8')]", "source": { "kind": "Solution", "name": "GitHub", @@ -1587,70 +1929,65 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId12')]", + "contentId": "[variables('_analyticRulecontentId8')]", "contentKind": "AnalyticsRule", - "displayName": "(Preview) GitHub - pull request was merged", - "contentProductId": "[variables('_analyticRulecontentProductId12')]", - "id": "[variables('_analyticRulecontentProductId12')]", - "version": "[variables('analyticRuleVersion12')]" + "displayName": "(Preview) GitHub - User was added to the organization", + "contentProductId": "[variables('_analyticRulecontentProductId8')]", + "id": "[variables('_analyticRulecontentProductId8')]", + "version": "[variables('analyticRuleVersion8')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName13')]", + "name": "[variables('analyticRuleTemplateSpecName9')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT Two Factor Authentication Disabled_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "(Preview) GitHub - User was blocked_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion13')]", + "contentVersion": "[variables('analyticRuleVersion9')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId13')]", + "name": "[variables('analyticRulecontentId9')]", "apiVersion": "2022-04-01-preview", - "kind": "NRT", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. ", - "displayName": "NRT GitHub Two Factor Auth Disable", + "description": "Detect activities when a user was blocked on the repository. This query runs every day and its severity is Medium.", + "displayName": "(Preview) GitHub - User was blocked", "enabled": false, - "query": "GitHubAudit\n| where Action == \"org.disable_two_factor_requirement\"\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\n", + "query": "GitHubAuditData\n| where Action == \"org.block_user\"\n| project Actor, Action \n| extend AccountCustomEntity = Actor\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": "[variables('TemplateEmptyArray')]", "tactics": [ - "DefenseEvasion" + "InitialAccess" ], "techniques": [ - "T1562" + "T1078" ], "entityMappings": [ { - "entityType": "Account", - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ] - }, - { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -1658,13 +1995,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", "properties": { - "description": "GitHub Analytics Rule 13", - "parentId": "[variables('analyticRuleId13')]", - "contentId": "[variables('_analyticRulecontentId13')]", + "description": "GitHub Analytics Rule 9", + "parentId": "[variables('analyticRuleId9')]", + "contentId": "[variables('_analyticRulecontentId9')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion13')]", + "version": "[variables('analyticRuleVersion9')]", "source": { "kind": "Solution", "name": "GitHub", @@ -1689,62 +2026,79 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId13')]", + "contentId": "[variables('_analyticRulecontentId9')]", "contentKind": "AnalyticsRule", - "displayName": "NRT GitHub Two Factor Auth Disable", - "contentProductId": "[variables('_analyticRulecontentProductId13')]", - "id": "[variables('_analyticRulecontentProductId13')]", - "version": "[variables('analyticRuleVersion13')]" + "displayName": "(Preview) GitHub - User was blocked", + "contentProductId": "[variables('_analyticRulecontentProductId9')]", + "id": "[variables('_analyticRulecontentProductId9')]", + "version": "[variables('analyticRuleVersion9')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName14')]", + "name": "[variables('analyticRuleTemplateSpecName10')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Security Vulnerability in Repo_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "(Preview) GitHub - User was invited to the repository_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion14')]", + "contentVersion": "[variables('analyticRuleVersion10')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId14')]", + "name": "[variables('analyticRulecontentId10')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This alerts when there is a new security vulnerability in a GitHub repository.", - "displayName": "GitHub Security Vulnerability in Repository", + "description": "Detect activities when a user was invited to the repository. This query runs every day and its severity is Medium.", + "displayName": "(Preview) GitHub - User was invited to the repository", "enabled": false, - "query": "GitHubRepo\n| where Action == \"vulnerabilityAlert\"\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Informational", + "query": "GitHubAuditData \n| where Action == \"org.invite_member\"\n| project Actor, Action\n| extend AccountCustomEntity = Actor\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": "[variables('TemplateEmptyArray')]" + "requiredDataConnectors": "[variables('TemplateEmptyArray')]", + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" + } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", "properties": { - "description": "GitHub Analytics Rule 14", - "parentId": "[variables('analyticRuleId14')]", - "contentId": "[variables('_analyticRulecontentId14')]", + "description": "GitHub Analytics Rule 10", + "parentId": "[variables('analyticRuleId10')]", + "contentId": "[variables('_analyticRulecontentId10')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion14')]", + "version": "[variables('analyticRuleVersion10')]", "source": { "kind": "Solution", "name": "GitHub", @@ -1769,53 +2123,65 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId14')]", + "contentId": "[variables('_analyticRulecontentId10')]", "contentKind": "AnalyticsRule", - "displayName": "GitHub Security Vulnerability in Repository", - "contentProductId": "[variables('_analyticRulecontentProductId14')]", - "id": "[variables('_analyticRulecontentProductId14')]", - "version": "[variables('analyticRuleVersion14')]" + "displayName": "(Preview) GitHub - User was invited to the repository", + "contentProductId": "[variables('_analyticRulecontentProductId10')]", + "id": "[variables('_analyticRulecontentProductId10')]", + "version": "[variables('analyticRuleVersion10')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName1')]", + "name": "[variables('analyticRuleTemplateSpecName11')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "First Time User Invite and Add Member to Org_HuntingQueries Hunting Query with template version 3.0.1", + "description": "(Preview) GitHub - pull request was created_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", + "contentVersion": "[variables('analyticRuleVersion11')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "GitHub_Hunting_Query_1", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId11')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "GitHub First Time Invite Member and Add Member to Repo", - "category": "Hunting Queries", - "query": "\nlet starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet LearningPeriod = 7d;\nlet EndLearningTime = starttime - LearningPeriod;\nlet GitHubOrgMemberLogs = (GitHubAuditData\n| where Action == \"org.invite_member\" or Action == \"org.update_member\" or Action == \"org.add_member\" or Action == \"repo.add_member\" or Action == \"team.add_member\");\nGitHubOrgMemberLogs\n| where TimeGenerated between (EndLearningTime..starttime)\n| distinct Actor\n| join kind=rightanti (\n GitHubOrgMemberLogs\n | where TimeGenerated between (starttime..endtime)\n | distinct Actor\n) on Actor\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "This hunting query identifies a user that add/invite a member to the organization for the first time. This technique can be leveraged by attackers to add stealth account access to the organization." - }, - { - "name": "tactics", - "value": "Persistence" - }, + "description": "Detect activities when a pull request was created. This query runs every day and its severity is Medium.", + "displayName": "(Preview) GitHub - pull request was created", + "enabled": false, + "query": "GitHubAuditData \n| where Action == \"pull_request.create\"\n| project Actor, Action\n| extend AccountCustomEntity = Actor\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": "[variables('TemplateEmptyArray')]", + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ { - "name": "techniques", - "value": "T1136" + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" } ] } @@ -1823,13 +2189,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]", "properties": { - "description": "GitHub Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", + "description": "GitHub Analytics Rule 11", + "parentId": "[variables('analyticRuleId11')]", + "contentId": "[variables('_analyticRulecontentId11')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion11')]", "source": { "kind": "Solution", "name": "GitHub", @@ -1854,53 +2220,65 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId1')]", - "contentKind": "HuntingQuery", - "displayName": "GitHub First Time Invite Member and Add Member to Repo", - "contentProductId": "[variables('_huntingQuerycontentProductId1')]", - "id": "[variables('_huntingQuerycontentProductId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentId": "[variables('_analyticRulecontentId11')]", + "contentKind": "AnalyticsRule", + "displayName": "(Preview) GitHub - pull request was created", + "contentProductId": "[variables('_analyticRulecontentProductId11')]", + "id": "[variables('_analyticRulecontentProductId11')]", + "version": "[variables('analyticRuleVersion11')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName2')]", + "name": "[variables('analyticRuleTemplateSpecName12')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Inactive or New Account Usage_HuntingQueries Hunting Query with template version 3.0.1", + "description": "(Preview) GitHub - pull request was merged_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", + "contentVersion": "[variables('analyticRuleVersion12')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "GitHub_Hunting_Query_2", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId12')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "GitHub Inactive or New Account Access or Usage", - "category": "Hunting Queries", - "query": "\nlet starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet LearningPeriod = 7d;\nlet EndLearningTime = starttime - LearningPeriod;\nlet GitHubActorLogin = (GitHubAuditData\n| where Actor != \"\");\nlet GitHubUser = (GitHubAuditData\n| where ImpactedUser != \"\");\nlet GitHubNewActorLogin = (GitHubActorLogin\n| where TimeGenerated between (EndLearningTime .. starttime)\n| summarize makeset(Actor)\n| extend Dummy = 1\n| join kind=innerunique (\n GitHubActorLogin\n | where TimeGenerated between (starttime .. endtime)\n | distinct Actor\n | extend Dummy = 1\n) on Dummy\n| project-away Dummy\n| where set_Actor !contains Actor);\nlet GitHubNewUser = ( GitHubUser\n| where TimeGenerated between (EndLearningTime .. starttime)\n| summarize makeset(ImpactedUser)\n| extend Dummy = 1\n| join kind=innerunique (\n GitHubUser\n | where TimeGenerated between (starttime .. endtime)\n | distinct ImpactedUser\n | extend Dummy = 1\n) on Dummy\n| project-away Dummy\n| where set_ImpactedUser !contains ImpactedUser);\nunion GitHubNewActorLogin, GitHubNewUser\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "This hunting query identifies Accounts that are new or inactive and have accessed or used GitHub that may be a sign of compromise." - }, - { - "name": "tactics", - "value": "Persistence" - }, + "description": "Detect activities when a pull request was merged. This query runs every day and its severity is Medium.", + "displayName": "(Preview) GitHub - pull request was merged", + "enabled": false, + "query": "GitHubAuditData\n| where Action == \"pull_request.merge\"\n| project Actor, Action\n| extend AccountCustomEntity = Actor\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": "[variables('TemplateEmptyArray')]", + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ { - "name": "techniques", - "value": "T1136" + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" } ] } @@ -1908,13 +2286,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]", "properties": { - "description": "GitHub Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", + "description": "GitHub Analytics Rule 12", + "parentId": "[variables('analyticRuleId12')]", + "contentId": "[variables('_analyticRulecontentId12')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion12')]", "source": { "kind": "Solution", "name": "GitHub", @@ -1939,53 +2317,70 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId2')]", - "contentKind": "HuntingQuery", - "displayName": "GitHub Inactive or New Account Access or Usage", - "contentProductId": "[variables('_huntingQuerycontentProductId2')]", - "id": "[variables('_huntingQuerycontentProductId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentId": "[variables('_analyticRulecontentId12')]", + "contentKind": "AnalyticsRule", + "displayName": "(Preview) GitHub - pull request was merged", + "contentProductId": "[variables('_analyticRulecontentProductId12')]", + "id": "[variables('_analyticRulecontentProductId12')]", + "version": "[variables('analyticRuleVersion12')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName3')]", + "name": "[variables('analyticRuleTemplateSpecName13')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Mass Deletion of Repositories _HuntingQueries Hunting Query with template version 3.0.1", + "description": "NRT Two Factor Authentication Disabled_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion3')]", + "contentVersion": "[variables('analyticRuleVersion13')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "GitHub_Hunting_Query_3", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId13')]", + "apiVersion": "2022-04-01-preview", + "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "GitHub Mass Deletion of repos or projects", - "category": "Hunting Queries", - "query": "\nlet starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet LearningPeriod = 7d;\nlet BinTime = 1h;\nlet EndLearningTime = starttime - LearningPeriod;\nlet NumberOfStds = 3;\nlet MinThreshold = 10.0;\nlet GitHubRepositoryDestroyEvents = (GitHubAuditData\n| where Action == \"repo.destroy\");\nGitHubRepositoryDestroyEvents\n| where TimeGenerated between (EndLearningTime .. starttime)\n| summarize count() by bin(TimeGenerated, BinTime)\n| summarize AvgInLearning = avg(count_), StdInLearning = stdev(count_)\n| extend LearningThreshold = max_of(AvgInLearning + StdInLearning * NumberOfStds, MinThreshold)\n| extend Dummy = 1\n| join kind=innerunique (\n GitHubRepositoryDestroyEvents\n | where TimeGenerated between (starttime..endtime)\n | summarize CountInRunTime = count() by bin(TimeGenerated, BinTime)\n | extend Dummy = 1\n) on Dummy\n| project-away Dummy\n| where CountInRunTime > LearningThreshold\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "This hunting query identifies GitHub activites where there are a large number of deletions that may be a sign of compromise." - }, + "description": "Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. ", + "displayName": "NRT GitHub Two Factor Auth Disable", + "enabled": false, + "query": "GitHubAudit\n| where Action == \"org.disable_two_factor_requirement\"\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\n", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": "[variables('TemplateEmptyArray')]", + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1562" + ], + "entityMappings": [ { - "name": "tactics", - "value": "Impact" + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" }, { - "name": "techniques", - "value": "T1485" + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ], + "entityType": "IP" } ] } @@ -1993,13 +2388,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]", "properties": { - "description": "GitHub Hunting Query 3", - "parentId": "[variables('huntingQueryId3')]", - "contentId": "[variables('_huntingQuerycontentId3')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion3')]", + "description": "GitHub Analytics Rule 13", + "parentId": "[variables('analyticRuleId13')]", + "contentId": "[variables('_analyticRulecontentId13')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion13')]", "source": { "kind": "Solution", "name": "GitHub", @@ -2024,67 +2419,62 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId3')]", - "contentKind": "HuntingQuery", - "displayName": "GitHub Mass Deletion of repos or projects", - "contentProductId": "[variables('_huntingQuerycontentProductId3')]", - "id": "[variables('_huntingQuerycontentProductId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentId": "[variables('_analyticRulecontentId13')]", + "contentKind": "AnalyticsRule", + "displayName": "NRT GitHub Two Factor Auth Disable", + "contentProductId": "[variables('_analyticRulecontentProductId13')]", + "id": "[variables('_analyticRulecontentProductId13')]", + "version": "[variables('analyticRuleVersion13')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName4')]", + "name": "[variables('analyticRuleTemplateSpecName14')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Oauth App Restrictions Disabled_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Security Vulnerability in Repo_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion4')]", + "contentVersion": "[variables('analyticRuleVersion14')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "GitHub_Hunting_Query_4", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId14')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "GitHub OAuth App Restrictions Disabled", - "category": "Hunting Queries", - "query": "\nGitHubAuditData\n| where Action == \"org.disable_oauth_app_restrictions\"\n| project TimeGenerated, Action, Actor, Country\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "This hunting query identifies GitHub OAuth Apps that have restrictions disabled that may be a sign of compromise. Attacker will want to disable such security tools in order to go undetected. " - }, - { - "name": "tactics", - "value": "Persistence,DefenseEvasion" - }, - { - "name": "techniques", - "value": "T1505,T1562" - } - ] + "description": "This alerts when there is a new security vulnerability in a GitHub repository.", + "displayName": "GitHub Security Vulnerability in Repository", + "enabled": false, + "query": "GitHubRepo\n| where Action == \"vulnerabilityAlert\"\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Informational", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": "[variables('TemplateEmptyArray')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]", "properties": { - "description": "GitHub Hunting Query 4", - "parentId": "[variables('huntingQueryId4')]", - "contentId": "[variables('_huntingQuerycontentId4')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion4')]", + "description": "GitHub Analytics Rule 14", + "parentId": "[variables('analyticRuleId14')]", + "contentId": "[variables('_analyticRulecontentId14')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion14')]", "source": { "kind": "Solution", "name": "GitHub", @@ -2109,53 +2499,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId4')]", - "contentKind": "HuntingQuery", - "displayName": "GitHub OAuth App Restrictions Disabled", - "contentProductId": "[variables('_huntingQuerycontentProductId4')]", - "id": "[variables('_huntingQuerycontentProductId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentId": "[variables('_analyticRulecontentId14')]", + "contentKind": "AnalyticsRule", + "displayName": "GitHub Security Vulnerability in Repository", + "contentProductId": "[variables('_analyticRulecontentProductId14')]", + "id": "[variables('_analyticRulecontentProductId14')]", + "version": "[variables('analyticRuleVersion14')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName5')]", + "name": "[variables('huntingQueryTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Org Repositories Default Permissions Change_HuntingQueries Hunting Query with template version 3.0.1", + "description": "First Time User Invite and Add Member to Org_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion5')]", + "contentVersion": "[variables('huntingQueryVersion1')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "name": "GitHub_Hunting_Query_5", + "name": "GitHub_Hunting_Query_1", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "GitHub Update Permissions", + "displayName": "GitHub First Time Invite Member and Add Member to Repo", "category": "Hunting Queries", - "query": "\nGitHubAuditData\n| where Action == \"org.update_default_repository_permission\"\n| project TimeGenerated, Action, Actor, Country, Repository, PreviousPermission, CurrentPermission\n", + "query": "\nlet starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet LearningPeriod = 7d;\nlet EndLearningTime = starttime - LearningPeriod;\nlet GitHubOrgMemberLogs = (GitHubAuditData\n| where Action == \"org.invite_member\" or Action == \"org.update_member\" or Action == \"org.add_member\" or Action == \"repo.add_member\" or Action == \"team.add_member\");\nGitHubOrgMemberLogs\n| where TimeGenerated between (EndLearningTime..starttime)\n| distinct Actor\n| join kind=rightanti (\n GitHubOrgMemberLogs\n | where TimeGenerated between (starttime..endtime)\n | distinct Actor\n) on Actor\n", "version": 2, "tags": [ { "name": "description", - "value": "This hunting query identifies GitHub activites where permissions are updated that may be a sign of compromise." + "value": "This hunting query identifies a user that add/invite a member to the organization for the first time. This technique can be leveraged by attackers to add stealth account access to the organization." }, { "name": "tactics", - "value": "Persistence,DefenseEvasion" + "value": "Persistence" }, { "name": "techniques", - "value": "T1098,T1562" + "value": "T1136" } ] } @@ -2163,13 +2553,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", "properties": { - "description": "GitHub Hunting Query 5", - "parentId": "[variables('huntingQueryId5')]", - "contentId": "[variables('_huntingQuerycontentId5')]", + "description": "GitHub Hunting Query 1", + "parentId": "[variables('huntingQueryId1')]", + "contentId": "[variables('_huntingQuerycontentId1')]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion5')]", + "version": "[variables('huntingQueryVersion1')]", "source": { "kind": "Solution", "name": "GitHub", @@ -2194,53 +2584,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId5')]", + "contentId": "[variables('_huntingQuerycontentId1')]", "contentKind": "HuntingQuery", - "displayName": "GitHub Update Permissions", - "contentProductId": "[variables('_huntingQuerycontentProductId5')]", - "id": "[variables('_huntingQuerycontentProductId5')]", - "version": "[variables('huntingQueryVersion5')]" + "displayName": "GitHub First Time Invite Member and Add Member to Repo", + "contentProductId": "[variables('_huntingQuerycontentProductId1')]", + "id": "[variables('_huntingQuerycontentProductId1')]", + "version": "[variables('huntingQueryVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName6')]", + "name": "[variables('huntingQueryTemplateSpecName2')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Repository Permission Switched to Public_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Inactive or New Account Usage_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion6')]", + "contentVersion": "[variables('huntingQueryVersion2')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "name": "GitHub_Hunting_Query_6", + "name": "GitHub_Hunting_Query_2", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "GitHub Repo switched from private to public", + "displayName": "GitHub Inactive or New Account Access or Usage", "category": "Hunting Queries", - "query": "\nGitHubAuditData\n| where Action == \"repo.access\"\n| where Visibility == \"public\" and PreviousVisibility in (\"internal\", \"private\")\n| project TimeGenerated, Action, Actor, Country, Repository, Visibility\n", + "query": "\nlet starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet LearningPeriod = 7d;\nlet EndLearningTime = starttime - LearningPeriod;\nlet GitHubActorLogin = (GitHubAuditData\n| where Actor != \"\");\nlet GitHubUser = (GitHubAuditData\n| where ImpactedUser != \"\");\nlet GitHubNewActorLogin = (GitHubActorLogin\n| where TimeGenerated between (EndLearningTime .. starttime)\n| summarize makeset(Actor)\n| extend Dummy = 1\n| join kind=innerunique (\n GitHubActorLogin\n | where TimeGenerated between (starttime .. endtime)\n | distinct Actor\n | extend Dummy = 1\n) on Dummy\n| project-away Dummy\n| where set_Actor !contains Actor);\nlet GitHubNewUser = ( GitHubUser\n| where TimeGenerated between (EndLearningTime .. starttime)\n| summarize makeset(ImpactedUser)\n| extend Dummy = 1\n| join kind=innerunique (\n GitHubUser\n | where TimeGenerated between (starttime .. endtime)\n | distinct ImpactedUser\n | extend Dummy = 1\n) on Dummy\n| project-away Dummy\n| where set_ImpactedUser !contains ImpactedUser);\nunion GitHubNewActorLogin, GitHubNewUser\n", "version": 2, "tags": [ { "name": "description", - "value": "This hunting query identifies GitHub activites where a repo was changed from private to public that may be a sign of compromise." + "value": "This hunting query identifies Accounts that are new or inactive and have accessed or used GitHub that may be a sign of compromise." }, { "name": "tactics", - "value": "Collection" + "value": "Persistence" }, { "name": "techniques", - "value": "T1213" + "value": "T1136" } ] } @@ -2248,13 +2638,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", "properties": { - "description": "GitHub Hunting Query 6", - "parentId": "[variables('huntingQueryId6')]", - "contentId": "[variables('_huntingQuerycontentId6')]", + "description": "GitHub Hunting Query 2", + "parentId": "[variables('huntingQueryId2')]", + "contentId": "[variables('_huntingQuerycontentId2')]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion6')]", + "version": "[variables('huntingQueryVersion2')]", "source": { "kind": "Solution", "name": "GitHub", @@ -2279,45 +2669,45 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId6')]", + "contentId": "[variables('_huntingQuerycontentId2')]", "contentKind": "HuntingQuery", - "displayName": "GitHub Repo switched from private to public", - "contentProductId": "[variables('_huntingQuerycontentProductId6')]", - "id": "[variables('_huntingQuerycontentProductId6')]", - "version": "[variables('huntingQueryVersion6')]" + "displayName": "GitHub Inactive or New Account Access or Usage", + "contentProductId": "[variables('_huntingQuerycontentProductId2')]", + "id": "[variables('_huntingQuerycontentProductId2')]", + "version": "[variables('huntingQueryVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName7')]", + "name": "[variables('huntingQueryTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User First Time Repository Delete Activity_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Mass Deletion of Repositories _HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion7')]", + "contentVersion": "[variables('huntingQueryVersion3')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "name": "GitHub_Hunting_Query_7", + "name": "GitHub_Hunting_Query_3", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "GitHub First Time Repo Delete", + "displayName": "GitHub Mass Deletion of repos or projects", "category": "Hunting Queries", - "query": "\nlet starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet LearningPeriod = 7d;\nlet EndLearningTime = starttime - LearningPeriod;\nlet GitHubRepositoryDestroyEvents = (GitHubAuditData\n| where Action == \"repo.destroy\");\nGitHubRepositoryDestroyEvents\n| where TimeGenerated between (EndLearningTime .. starttime)\n| distinct Actor\n| join kind=rightanti (\n GitHubRepositoryDestroyEvents\n | where TimeGenerated between (starttime .. endtime)\n | distinct Actor\n) on Actor\n", + "query": "\nlet starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet LearningPeriod = 7d;\nlet BinTime = 1h;\nlet EndLearningTime = starttime - LearningPeriod;\nlet NumberOfStds = 3;\nlet MinThreshold = 10.0;\nlet GitHubRepositoryDestroyEvents = (GitHubAuditData\n| where Action == \"repo.destroy\");\nGitHubRepositoryDestroyEvents\n| where TimeGenerated between (EndLearningTime .. starttime)\n| summarize count() by bin(TimeGenerated, BinTime)\n| summarize AvgInLearning = avg(count_), StdInLearning = stdev(count_)\n| extend LearningThreshold = max_of(AvgInLearning + StdInLearning * NumberOfStds, MinThreshold)\n| extend Dummy = 1\n| join kind=innerunique (\n GitHubRepositoryDestroyEvents\n | where TimeGenerated between (starttime..endtime)\n | summarize CountInRunTime = count() by bin(TimeGenerated, BinTime)\n | extend Dummy = 1\n) on Dummy\n| project-away Dummy\n| where CountInRunTime > LearningThreshold\n", "version": 2, "tags": [ { "name": "description", - "value": "This hunting query identifies GitHub activites its the first time a user deleted a repo that may be a sign of compromise." + "value": "This hunting query identifies GitHub activites where there are a large number of deletions that may be a sign of compromise." }, { "name": "tactics", @@ -2333,13 +2723,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", "properties": { - "description": "GitHub Hunting Query 7", - "parentId": "[variables('huntingQueryId7')]", - "contentId": "[variables('_huntingQuerycontentId7')]", + "description": "GitHub Hunting Query 3", + "parentId": "[variables('huntingQueryId3')]", + "contentId": "[variables('_huntingQuerycontentId3')]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion7')]", + "version": "[variables('huntingQueryVersion3')]", "source": { "kind": "Solution", "name": "GitHub", @@ -2364,53 +2754,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId7')]", + "contentId": "[variables('_huntingQuerycontentId3')]", "contentKind": "HuntingQuery", - "displayName": "GitHub First Time Repo Delete", - "contentProductId": "[variables('_huntingQuerycontentProductId7')]", - "id": "[variables('_huntingQuerycontentProductId7')]", - "version": "[variables('huntingQueryVersion7')]" + "displayName": "GitHub Mass Deletion of repos or projects", + "contentProductId": "[variables('_huntingQuerycontentProductId3')]", + "id": "[variables('_huntingQuerycontentProductId3')]", + "version": "[variables('huntingQueryVersion3')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName8')]", + "name": "[variables('huntingQueryTemplateSpecName4')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Grant Access and Grants Other Access_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Oauth App Restrictions Disabled_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion8')]", + "contentVersion": "[variables('huntingQueryVersion4')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "name": "GitHub_Hunting_Query_8", + "name": "GitHub_Hunting_Query_4", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "GitHub User Grants Access and Other User Grants Access", + "displayName": "GitHub OAuth App Restrictions Disabled", "category": "Hunting Queries", - "query": "\nGitHubAuditData\n| where ImpactedUser != \"\"\n| where Action == \"org.invite_member\" or Action == \"org.add_member\" or Action == \"team.add_member\" or Action == \"repo.add_member\"\n| distinct ImpactedUser, TimeGenerated, Actor\n| project-rename firstUserAdded = ImpactedUser, firstEventTime = TimeGenerated, firstAdderUser = Actor\n| join kind= innerunique (\n GitHubAuditData\n | where ImpactedUser != \"\"\n | where Action == \"org.invite_member\" or Action == \"org.add_member\" or Action == \"team.add_member\" or Action == \"repo.add_member\"\n | distinct ImpactedUser, TimeGenerated, Actor\n | project-rename secondUserAdded = ImpactedUser, secondEventTime = TimeGenerated, secondAdderUser = Actor\n) on $left.secondUserAdded == $right.firstUserAdded\n| where secondEventTime between (firstEventTime .. (firstEventTime + 1h))\n", + "query": "\nGitHubAuditData\n| where Action == \"org.disable_oauth_app_restrictions\"\n| project TimeGenerated, Action, Actor, Country\n", "version": 2, "tags": [ { "name": "description", - "value": "This hunting query identifies Accounts in GitHub that have granted access to another account which then grants access to yet another account that may be a sign of compromise." + "value": "This hunting query identifies GitHub OAuth Apps that have restrictions disabled that may be a sign of compromise. Attacker will want to disable such security tools in order to go undetected. " }, { "name": "tactics", - "value": "Persistence,PrivilegeEscalation" + "value": "Persistence,DefenseEvasion" }, { "name": "techniques", - "value": "T1098,T1078" + "value": "T1505,T1562" } ] } @@ -2418,13 +2808,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", "properties": { - "description": "GitHub Hunting Query 8", - "parentId": "[variables('huntingQueryId8')]", - "contentId": "[variables('_huntingQuerycontentId8')]", + "description": "GitHub Hunting Query 4", + "parentId": "[variables('huntingQueryId4')]", + "contentId": "[variables('_huntingQuerycontentId4')]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion8')]", + "version": "[variables('huntingQueryVersion4')]", "source": { "kind": "Solution", "name": "GitHub", @@ -2449,47 +2839,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId8')]", + "contentId": "[variables('_huntingQuerycontentId4')]", "contentKind": "HuntingQuery", - "displayName": "GitHub User Grants Access and Other User Grants Access", - "contentProductId": "[variables('_huntingQuerycontentProductId8')]", - "id": "[variables('_huntingQuerycontentProductId8')]", - "version": "[variables('huntingQueryVersion8')]" + "displayName": "GitHub OAuth App Restrictions Disabled", + "contentProductId": "[variables('_huntingQuerycontentProductId4')]", + "id": "[variables('_huntingQuerycontentProductId4')]", + "version": "[variables('huntingQueryVersion4')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('parserTemplateSpecName1')]", + "name": "[variables('huntingQueryTemplateSpecName5')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubAuditData Data Parser with template version 3.0.1", + "description": "Org Repositories Default Permissions Change_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserVersion1')]", + "contentVersion": "[variables('huntingQueryVersion5')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[variables('_parserName1')]", + "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "name": "GitHub_Hunting_Query_5", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "GitHubAuditData", - "category": "Samples", - "functionAlias": "GitHubAuditData", - "query": "\n\r\n\r\nGitHubAuditLogPolling_CL\r\n| project TimeGenerated=unixtime_milliseconds_todatetime(created_at_d),\r\n Organization=columnifexists('org_s', \"\"),\r\n Action=action_s,\r\n Repository=columnifexists('repo_s',\"\"),\r\n Actor=columnifexists('actor_s', \"\"),\r\n\tCountry=columnifexists('actor_location_country_code_s', \"\"),\r\n ImpactedUser=columnifexists('user_s', \"\"),\r\n InvitedUserPermission=columnifexists('permission_s', \"\"),\r\n Visibility=columnifexists('visibility_s', \"\"),\r\n PreviousVisibility=columnifexists('previous_visibility_s', \"\"),\r\n CurrentPermission=columnifexists('permission_s', \"\"),\r\n PreviousPermission=columnifexists('old_permission_s', \"\"),\r\n TeamName=columnifexists('team_s', \"\"),\r\n BlockedUser=columnifexists('blocked_user_s', \"\")\r\n\r\n\r\n\r\n", - "functionParameters": "", - "version": 1, + "displayName": "GitHub Update Permissions", + "category": "Hunting Queries", + "query": "\nGitHubAuditData\n| where Action == \"org.update_default_repository_permission\"\n| project TimeGenerated, Action, Actor, Country, Repository, PreviousPermission, CurrentPermission\n", + "version": 2, "tags": [ { "name": "description", - "value": "GitHubAuditData" + "value": "This hunting query identifies GitHub activites where permissions are updated that may be a sign of compromise." + }, + { + "name": "tactics", + "value": "Persistence,DefenseEvasion" + }, + { + "name": "techniques", + "value": "T1098,T1562" } ] } @@ -2497,18 +2893,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", - "dependsOn": [ - "[variables('_parserName1')]" - ], + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", - "kind": "Parser", - "version": "[variables('parserVersion1')]", + "description": "GitHub Hunting Query 5", + "parentId": "[variables('huntingQueryId5')]", + "contentId": "[variables('_huntingQuerycontentId5')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion5')]", "source": { - "name": "GitHub", "kind": "Solution", + "name": "GitHub", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2530,98 +2924,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_parserContentId1')]", - "contentKind": "Parser", - "displayName": "GitHubAuditData", - "contentProductId": "[variables('_parsercontentProductId1')]", - "id": "[variables('_parsercontentProductId1')]", - "version": "[variables('parserVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('_parserName1')]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "GitHubAuditData", - "category": "Samples", - "functionAlias": "GitHubAuditData", - "query": "\n\r\n\r\nGitHubAuditLogPolling_CL\r\n| project TimeGenerated=unixtime_milliseconds_todatetime(created_at_d),\r\n Organization=columnifexists('org_s', \"\"),\r\n Action=action_s,\r\n Repository=columnifexists('repo_s',\"\"),\r\n Actor=columnifexists('actor_s', \"\"),\r\n\tCountry=columnifexists('actor_location_country_code_s', \"\"),\r\n ImpactedUser=columnifexists('user_s', \"\"),\r\n InvitedUserPermission=columnifexists('permission_s', \"\"),\r\n Visibility=columnifexists('visibility_s', \"\"),\r\n PreviousVisibility=columnifexists('previous_visibility_s', \"\"),\r\n CurrentPermission=columnifexists('permission_s', \"\"),\r\n PreviousPermission=columnifexists('old_permission_s', \"\"),\r\n TeamName=columnifexists('team_s', \"\"),\r\n BlockedUser=columnifexists('blocked_user_s', \"\")\r\n\r\n\r\n\r\n", - "functionParameters": "", - "version": 1, - "tags": [ - { - "name": "description", - "value": "GitHubAuditData" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", - "dependsOn": [ - "[variables('_parserId1')]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", - "kind": "Parser", - "version": "[variables('parserVersion1')]", - "source": { - "kind": "Solution", - "name": "GitHub", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } + "contentId": "[variables('_huntingQuerycontentId5')]", + "contentKind": "HuntingQuery", + "displayName": "GitHub Update Permissions", + "contentProductId": "[variables('_huntingQuerycontentProductId5')]", + "id": "[variables('_huntingQuerycontentProductId5')]", + "version": "[variables('huntingQueryVersion5')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('parserTemplateSpecName2')]", + "name": "[variables('huntingQueryTemplateSpecName6')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubCodeScanningData Data Parser with template version 3.0.1", + "description": "Repository Permission Switched to Public_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserVersion2')]", + "contentVersion": "[variables('huntingQueryVersion6')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[variables('_parserName2')]", + "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "name": "GitHub_Hunting_Query_6", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "GitHubCodeScanningData", - "category": "Samples", - "functionAlias": "GitHubCodeScanningData", - "query": "\n\r\ngithubscanaudit_CL \r\n| where action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s)\r\n| extend EventType='CodeScanningAlert'\r\n| extend alert = todynamic(alert_s),\r\n organization = todynamic(organization_s),\r\n repository = todynamic(repository_s),\r\n sender = todynamic(sender_s) \r\n| extend alertcreatedate = alert.created_at, url = alert.url, commit_oid = commit_oid_s,\r\n alertdescription = alert.rule.description,\r\n toolname = alert.tool.name,\r\n repositoryfullname = repository.full_name,\r\n repositoryOwnerlogin = repository.owner.login,\r\n repositoryurl = repository.url,\r\n orglogin = organization.login,\r\n orgurl = organization.url,\r\n senderlogin = sender.login,\r\n sendertype = sender.type,\r\n action=action_s\r\n| project-keep\r\n TimeGenerated,\r\n EventType,\r\n action,\r\n alertdescription,\r\n alertcreatedate,\r\n commit_oid,\r\n toolname,\r\n repositoryfullname,\r\n repositoryOwnerlogin,\r\n repositoryurl,\r\n orglogin,\r\n orgurl,\r\n senderlogin,\r\n sendertype \r\n", - "functionParameters": "", - "version": 1, + "displayName": "GitHub Repo switched from private to public", + "category": "Hunting Queries", + "query": "\nGitHubAuditData\n| where Action == \"repo.access\"\n| where Visibility == \"public\" and PreviousVisibility in (\"internal\", \"private\")\n| project TimeGenerated, Action, Actor, Country, Repository, Visibility\n", + "version": 2, "tags": [ { "name": "description", - "value": "GitHubCodeScanningData" + "value": "This hunting query identifies GitHub activites where a repo was changed from private to public that may be a sign of compromise." + }, + { + "name": "tactics", + "value": "Collection" + }, + { + "name": "techniques", + "value": "T1213" } ] } @@ -2629,18 +2978,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId2'),'/'))))]", - "dependsOn": [ - "[variables('_parserName2')]" - ], + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName2'))]", - "contentId": "[variables('_parserContentId2')]", - "kind": "Parser", - "version": "[variables('parserVersion2')]", + "description": "GitHub Hunting Query 6", + "parentId": "[variables('huntingQueryId6')]", + "contentId": "[variables('_huntingQuerycontentId6')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion6')]", "source": { - "name": "GitHub", "kind": "Solution", + "name": "GitHub", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2662,230 +3009,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_parserContentId2')]", - "contentKind": "Parser", - "displayName": "GitHubCodeScanningData", - "contentProductId": "[variables('_parsercontentProductId2')]", - "id": "[variables('_parsercontentProductId2')]", - "version": "[variables('parserVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('_parserName2')]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "GitHubCodeScanningData", - "category": "Samples", - "functionAlias": "GitHubCodeScanningData", - "query": "\n\r\ngithubscanaudit_CL \r\n| where action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s)\r\n| extend EventType='CodeScanningAlert'\r\n| extend alert = todynamic(alert_s),\r\n organization = todynamic(organization_s),\r\n repository = todynamic(repository_s),\r\n sender = todynamic(sender_s) \r\n| extend alertcreatedate = alert.created_at, url = alert.url, commit_oid = commit_oid_s,\r\n alertdescription = alert.rule.description,\r\n toolname = alert.tool.name,\r\n repositoryfullname = repository.full_name,\r\n repositoryOwnerlogin = repository.owner.login,\r\n repositoryurl = repository.url,\r\n orglogin = organization.login,\r\n orgurl = organization.url,\r\n senderlogin = sender.login,\r\n sendertype = sender.type,\r\n action=action_s\r\n| project-keep\r\n TimeGenerated,\r\n EventType,\r\n action,\r\n alertdescription,\r\n alertcreatedate,\r\n commit_oid,\r\n toolname,\r\n repositoryfullname,\r\n repositoryOwnerlogin,\r\n repositoryurl,\r\n orglogin,\r\n orgurl,\r\n senderlogin,\r\n sendertype \r\n", - "functionParameters": "", - "version": 1, - "tags": [ - { - "name": "description", - "value": "GitHubCodeScanningData" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId2'),'/'))))]", - "dependsOn": [ - "[variables('_parserId2')]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName2'))]", - "contentId": "[variables('_parserContentId2')]", - "kind": "Parser", - "version": "[variables('parserVersion2')]", - "source": { - "kind": "Solution", - "name": "GitHub", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } + "contentId": "[variables('_huntingQuerycontentId6')]", + "contentKind": "HuntingQuery", + "displayName": "GitHub Repo switched from private to public", + "contentProductId": "[variables('_huntingQuerycontentProductId6')]", + "id": "[variables('_huntingQuerycontentProductId6')]", + "version": "[variables('huntingQueryVersion6')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('parserTemplateSpecName3')]", + "name": "[variables('huntingQueryTemplateSpecName7')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubDependabotData Data Parser with template version 3.0.1", + "description": "User First Time Repository Delete Activity_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserVersion3')]", + "contentVersion": "[variables('huntingQueryVersion7')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[variables('_parserName3')]", + "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "name": "GitHub_Hunting_Query_7", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "GitHubDependabotData", - "category": "Samples", - "functionAlias": "GitHubDependabotData", - "query": "\n\r\ngithubscanaudit_CL \r\n| where action_s in ('create', 'dismiss', 'resolve')\r\n| extend EventType='RepositoryVulnerabilityAlert'\r\n| extend alert = todynamic(alert_s),\r\n organization = todynamic(organization_s),\r\n repository = todynamic(repository_s),\r\n sender = todynamic(sender_s) \r\n| extend alertcreatedate = alert.created_at, alertaffectedrange = alert.affected_range, \r\n alertexternalidentifier= alert.external_identifier, \r\n alertghsaid = alert.ghsa_id,\r\n alertseverity = alert.severity,\r\n repositoryfullname = repository.full_name,\r\n repositoryOwnerlogin = repository.owner.login,\r\n repositoryurl = repository.url, \r\n senderlogin = sender.login,\r\n sendertype = sender.type,\r\n action=action_s\r\n| where isnotempty(alertexternalidentifier)\r\n| project-keep\r\n TimeGenerated,\r\n EventType,\r\n action,\r\n alertexternalidentifier,\r\n alertghsaid,\r\n alertcreatedate,\r\n repositoryfullname,\r\n repositoryOwnerlogin,\r\n repositoryurl,\r\n senderlogin,\r\n sendertype \r\n\r\n", - "functionParameters": "", - "version": 1, + "displayName": "GitHub First Time Repo Delete", + "category": "Hunting Queries", + "query": "\nlet starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet LearningPeriod = 7d;\nlet EndLearningTime = starttime - LearningPeriod;\nlet GitHubRepositoryDestroyEvents = (GitHubAuditData\n| where Action == \"repo.destroy\");\nGitHubRepositoryDestroyEvents\n| where TimeGenerated between (EndLearningTime .. starttime)\n| distinct Actor\n| join kind=rightanti (\n GitHubRepositoryDestroyEvents\n | where TimeGenerated between (starttime .. endtime)\n | distinct Actor\n) on Actor\n", + "version": 2, "tags": [ { "name": "description", - "value": "GitHubDependabotData" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId3'),'/'))))]", - "dependsOn": [ - "[variables('_parserName3')]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName3'))]", - "contentId": "[variables('_parserContentId3')]", - "kind": "Parser", - "version": "[variables('parserVersion3')]", - "source": { - "name": "GitHub", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_parserContentId3')]", - "contentKind": "Parser", - "displayName": "GitHubDependabotData", - "contentProductId": "[variables('_parsercontentProductId3')]", - "id": "[variables('_parsercontentProductId3')]", - "version": "[variables('parserVersion3')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('_parserName3')]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "GitHubDependabotData", - "category": "Samples", - "functionAlias": "GitHubDependabotData", - "query": "\n\r\ngithubscanaudit_CL \r\n| where action_s in ('create', 'dismiss', 'resolve')\r\n| extend EventType='RepositoryVulnerabilityAlert'\r\n| extend alert = todynamic(alert_s),\r\n organization = todynamic(organization_s),\r\n repository = todynamic(repository_s),\r\n sender = todynamic(sender_s) \r\n| extend alertcreatedate = alert.created_at, alertaffectedrange = alert.affected_range, \r\n alertexternalidentifier= alert.external_identifier, \r\n alertghsaid = alert.ghsa_id,\r\n alertseverity = alert.severity,\r\n repositoryfullname = repository.full_name,\r\n repositoryOwnerlogin = repository.owner.login,\r\n repositoryurl = repository.url, \r\n senderlogin = sender.login,\r\n sendertype = sender.type,\r\n action=action_s\r\n| where isnotempty(alertexternalidentifier)\r\n| project-keep\r\n TimeGenerated,\r\n EventType,\r\n action,\r\n alertexternalidentifier,\r\n alertghsaid,\r\n alertcreatedate,\r\n repositoryfullname,\r\n repositoryOwnerlogin,\r\n repositoryurl,\r\n senderlogin,\r\n sendertype \r\n\r\n", - "functionParameters": "", - "version": 1, - "tags": [ - { - "name": "description", - "value": "GitHubDependabotData" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId3'),'/'))))]", - "dependsOn": [ - "[variables('_parserId3')]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName3'))]", - "contentId": "[variables('_parserContentId3')]", - "kind": "Parser", - "version": "[variables('parserVersion3')]", - "source": { - "kind": "Solution", - "name": "GitHub", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "GithubSecretScanningData Data Parser with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserVersion4')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('_parserName4')]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "GithubSecretScanningData", - "category": "Samples", - "functionAlias": "GithubSecretScanningData", - "query": "\n\r\ngithubscanaudit_CL \r\n| where action_s in ('created', 'resolved', 'reopened')\r\n| extend EventType='SecretScanningAlert'\r\n| extend alert = todynamic(alert_s),\r\n organization = todynamic(organization_s),\r\n repository = todynamic(repository_s),\r\n sender = todynamic(sender_s) \r\n| extend \r\n alertSecretType = alert.secret_type,\r\n alertnumber = alert.number,\r\n alertresolution = alert.resolution,\r\n alertresolvedby = alert.resolved_by,\r\n alertresolvedat = alert.resolved_at,\r\n repositoryfullname = repository.full_name,\r\n repositoryOwnerlogin = repository.owner.login,\r\n repositoryurl = repository.url, \r\n senderlogin = sender.login,\r\n sendertype = sender.type,\r\n action=action_s\r\n| where isnotempty(alertSecretType)\r\n| project-keep\r\n TimeGenerated,\r\n EventType,\r\n action,\r\n alertSecretType,\r\n alertnumber,\r\n alertresolution,\r\n alertresolvedby,\r\n alertresolvedat,\r\n repositoryfullname,\r\n repositoryOwnerlogin,\r\n repositoryurl,\r\n senderlogin,\r\n sendertype \r\n\r\n\r\n\r\n\r\n\r\n\r\n", - "functionParameters": "", - "version": 1, - "tags": [ + "value": "This hunting query identifies GitHub activites its the first time a user deleted a repo that may be a sign of compromise." + }, { - "name": "description", - "value": "GithubSecretScanningData" + "name": "tactics", + "value": "Impact" + }, + { + "name": "techniques", + "value": "T1485" } ] } @@ -2893,18 +3063,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId4'),'/'))))]", - "dependsOn": [ - "[variables('_parserName4')]" - ], + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]", "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName4'))]", - "contentId": "[variables('_parserContentId4')]", - "kind": "Parser", - "version": "[variables('parserVersion4')]", + "description": "GitHub Hunting Query 7", + "parentId": "[variables('huntingQueryId7')]", + "contentId": "[variables('_huntingQuerycontentId7')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion7')]", "source": { - "name": "GitHub", "kind": "Solution", + "name": "GitHub", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2926,582 +3094,67 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_parserContentId4')]", - "contentKind": "Parser", - "displayName": "GithubSecretScanningData", - "contentProductId": "[variables('_parsercontentProductId4')]", - "id": "[variables('_parsercontentProductId4')]", - "version": "[variables('parserVersion4')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('_parserName4')]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "GithubSecretScanningData", - "category": "Samples", - "functionAlias": "GithubSecretScanningData", - "query": "\n\r\ngithubscanaudit_CL \r\n| where action_s in ('created', 'resolved', 'reopened')\r\n| extend EventType='SecretScanningAlert'\r\n| extend alert = todynamic(alert_s),\r\n organization = todynamic(organization_s),\r\n repository = todynamic(repository_s),\r\n sender = todynamic(sender_s) \r\n| extend \r\n alertSecretType = alert.secret_type,\r\n alertnumber = alert.number,\r\n alertresolution = alert.resolution,\r\n alertresolvedby = alert.resolved_by,\r\n alertresolvedat = alert.resolved_at,\r\n repositoryfullname = repository.full_name,\r\n repositoryOwnerlogin = repository.owner.login,\r\n repositoryurl = repository.url, \r\n senderlogin = sender.login,\r\n sendertype = sender.type,\r\n action=action_s\r\n| where isnotempty(alertSecretType)\r\n| project-keep\r\n TimeGenerated,\r\n EventType,\r\n action,\r\n alertSecretType,\r\n alertnumber,\r\n alertresolution,\r\n alertresolvedby,\r\n alertresolvedat,\r\n repositoryfullname,\r\n repositoryOwnerlogin,\r\n repositoryurl,\r\n senderlogin,\r\n sendertype \r\n\r\n\r\n\r\n\r\n\r\n\r\n", - "functionParameters": "", - "version": 1, - "tags": [ - { - "name": "description", - "value": "GithubSecretScanningData" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId4'),'/'))))]", - "dependsOn": [ - "[variables('_parserId4')]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName4'))]", - "contentId": "[variables('_parserContentId4')]", - "kind": "Parser", - "version": "[variables('parserVersion4')]", - "source": { - "kind": "Solution", - "name": "GitHub", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } + "contentId": "[variables('_huntingQuerycontentId7')]", + "contentKind": "HuntingQuery", + "displayName": "GitHub First Time Repo Delete", + "contentProductId": "[variables('_huntingQuerycontentProductId7')]", + "id": "[variables('_huntingQuerycontentProductId7')]", + "version": "[variables('huntingQueryVersion7')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "GitHub data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "APIPolling", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "GitHub Enterprise Audit Log", - "publisher": "GitHub", - "descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Microsoft Sentinel. By connecting GitHub audit logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process. \n\n **Note:** If you intended to ingest GitHub subscribed events into Microsoft Sentinel, please refer to GitHub (using Webhooks) Connector from \"**Data Connectors**\" gallery.", - "graphQueriesTableName": "GitHubAuditLogPolling_CL", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "GitHub audit log events", - "baseQuery": "{{graphQueriesTableName}}" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "{{graphQueriesTableName}}\n | take 10" - } - ], - "dataTypes": [ - { - "name": "GitHubAuditData", - "lastDataReceivedQuery": "GitHubAuditData\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "SentinelKindsV2", - "value": [] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - } - ], - "customs": [ - { - "name": "GitHub API personal access token", - "description": "You need a GitHub personal access token to enable polling for the organization audit log. You may use either a classic token with 'read:org' scope OR a fine-grained token with 'Administration: Read-only' scope." - }, - { - "name": "GitHub Enterprise type", - "description": "This connector will only function with GitHub Enterprise Cloud; it will not support GitHub Enterprise Server. " - } - ] - }, - "instructionSteps": [ - { - "description": "Enable GitHub audit logs. \n Follow [this guide](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal access token.", - "instructions": [ - { - "parameters": { - "enable": "true", - "userRequestPlaceHoldersInput": [ - { - "displayText": "Organization Name", - "requestObjectKey": "apiEndpoint", - "placeHolderName": "{{placeHolder1}}", - "placeHolderValue": "" - } - ] - }, - "type": "APIKey" - } - ], - "title": "Connect the GitHub Enterprise Organization-level Audit Log to Microsoft Sentinel" - } - ] - }, - "pollingConfig": { - "owner": "ASI", - "version": "2.0", - "source": "PaaS", - "templateFilePath": "", - "templateFileName": "", - "auth": { - "authType": "APIKey", - "APIKeyName": "Authorization", - "APIKeyIdentifier": "token" - }, - "request": { - "apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log", - "rateLimitQPS": 50, - "queryWindowInMin": 15, - "httpMethod": "Get", - "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", - "retryCount": 2, - "timeoutInSeconds": 60, - "headers": { - "Accept": "application/json", - "User-Agent": "Scuba" - }, - "queryParameters": { - "phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}" - } - }, - "paging": { - "pagingType": "LinkHeader", - "pageSizeParaName": "per_page" - }, - "response": { - "eventsJsonPaths": [ - "$" - ] - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "GitHub", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "GitHub Enterprise Audit Log", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "GitHub", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "APIPolling", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "GitHub Enterprise Audit Log", - "publisher": "GitHub", - "descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Microsoft Sentinel. By connecting GitHub audit logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process. \n\n **Note:** If you intended to ingest GitHub subscribed events into Microsoft Sentinel, please refer to GitHub (using Webhooks) Connector from \"**Data Connectors**\" gallery.", - "graphQueriesTableName": "GitHubAuditLogPolling_CL", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "GitHub audit log events", - "baseQuery": "{{graphQueriesTableName}}" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "{{graphQueriesTableName}}\n | take 10" - } - ], - "dataTypes": [ - { - "name": "GitHubAuditData", - "lastDataReceivedQuery": "GitHubAuditData\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "SentinelKindsV2", - "value": [] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - } - ], - "customs": [ - { - "name": "GitHub API personal access token", - "description": "You need a GitHub personal access token to enable polling for the organization audit log. You may use either a classic token with 'read:org' scope OR a fine-grained token with 'Administration: Read-only' scope." - }, - { - "name": "GitHub Enterprise type", - "description": "This connector will only function with GitHub Enterprise Cloud; it will not support GitHub Enterprise Server. " - } - ] - }, - "instructionSteps": [ - { - "description": "Enable GitHub audit logs. \n Follow [this guide](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal access token.", - "instructions": [ - { - "parameters": { - "enable": "true", - "userRequestPlaceHoldersInput": [ - { - "displayText": "Organization Name", - "requestObjectKey": "apiEndpoint", - "placeHolderName": "{{placeHolder1}}", - "placeHolderValue": "" - } - ] - }, - "type": "APIKey" - } - ], - "title": "Connect the GitHub Enterprise Organization-level Audit Log to Microsoft Sentinel" - } - ] - }, - "pollingConfig": { - "owner": "ASI", - "version": "2.0", - "source": "PaaS", - "templateFilePath": "", - "templateFileName": "", - "auth": { - "authType": "APIKey", - "APIKeyName": "Authorization", - "APIKeyIdentifier": "token" - }, - "request": { - "apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log", - "rateLimitQPS": 50, - "queryWindowInMin": 15, - "httpMethod": "Get", - "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", - "retryCount": 2, - "timeoutInSeconds": 60, - "headers": { - "Accept": "application/json", - "User-Agent": "Scuba" - }, - "queryParameters": { - "phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}" - } - }, - "paging": { - "pagingType": "LinkHeader", - "pageSizeParaName": "per_page" - }, - "response": { - "eventsJsonPaths": [ - "$" - ] - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "GitHub data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "GitHub (using Webhooks) (using Azure Functions)", - "publisher": "Microsoft", - "descriptionMarkdown": "The [GitHub](https://www.github.com) webhook data connector provides the capability to ingest GitHub subscribed events into Microsoft Sentinel using [GitHub webhook events](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads). The connector provides ability to get events into Microsoft Sentinel which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \n\n **Note:** If you are intended to ingest Github Audit logs, Please refer to GitHub Enterprise Audit Log Connector from \"**Data Connectors**\" gallery.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "githubscanaudit_CL", - "baseQuery": "githubscanaudit_CL" - } - ], - "sampleQueries": [ - { - "description": "GitHub Events - All Activities.", - "query": "githubscanaudit_CL\n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "githubscanaudit_CL", - "lastDataReceivedQuery": "githubscanaudit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "githubscanaudit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector has been built on http trigger based Azure Function. And it provides an endpoint to which github will be connected through it's webhook capability and posts the subscribed events into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "**Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Github Webhook connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the GitHub data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-GitHubwebhookAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region and deploy. \n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." - }, - { - "description": "**Option 2 - Manual Deployment of Azure Functions**\n\nUse the following step-by-step instructions to deploy the GitHub webhook data connector manually with Azure Functions (Deployment via Visual Studio Code)." - }, - { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-GitHubWebhookAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. GitHubXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional) - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." - }, - { - "description": "**Post Deployment steps**\n\n" - }, - { - "description": "**STEP 1 - To get the Azure Function url**\n\n 1. Go to Azure function Overview page and Click on \"Functions\" in the left blade.\n 2. Click on the function called \"GithubwebhookConnector\".\n 3. Go to \"GetFunctionurl\" and copy the function url." - }, - { - "description": "**STEP 2 - Configure Webhook to Github Organization**\n\n 1. Go to [GitHub](https://www.github.com) and open your account and click on \"Your Organizations.\"\n 2. Click on Settings.\n 3. Click on \"Webhooks\" and enter the function app url which was copied from above STEP 1 under payload URL textbox. \n 4. Choose content type as \"application/json\". \n 5. Subscribe for events and Click on \"Add Webhook\"" - }, - { - "description": "*Now we are done with the github Webhook configuration. Once the github events triggered and after the delay of 20 to 30 mins (As there will be a dealy for LogAnalytics to spin up the resources for the first time), you should be able to see all the transactional events from the Github into LogAnalytics workspace table called \"githubscanaudit_CL\".*\n\n For more details, Click [here](https://aka.ms/sentinel-gitHubwebhooksteps)" - } - ], - "metadata": { - "id": "Unique Identifier (GUID) used to identify dependencies and content from solutions or community.", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "community", - "name": "Microsoft", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "User Grant Access and Grants Other Access_HuntingQueries Hunting Query with template version 3.0.1", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion8')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "GitHub_Hunting_Query_8", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "GitHub User Grants Access and Other User Grants Access", + "category": "Hunting Queries", + "query": "\nGitHubAuditData\n| where ImpactedUser != \"\"\n| where Action == \"org.invite_member\" or Action == \"org.add_member\" or Action == \"team.add_member\" or Action == \"repo.add_member\"\n| distinct ImpactedUser, TimeGenerated, Actor\n| project-rename firstUserAdded = ImpactedUser, firstEventTime = TimeGenerated, firstAdderUser = Actor\n| join kind= innerunique (\n GitHubAuditData\n | where ImpactedUser != \"\"\n | where Action == \"org.invite_member\" or Action == \"org.add_member\" or Action == \"team.add_member\" or Action == \"repo.add_member\"\n | distinct ImpactedUser, TimeGenerated, Actor\n | project-rename secondUserAdded = ImpactedUser, secondEventTime = TimeGenerated, secondAdderUser = Actor\n) on $left.secondUserAdded == $right.firstUserAdded\n| where secondEventTime between (firstEventTime .. (firstEventTime + 1h))\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This hunting query identifies Accounts in GitHub that have granted access to another account which then grants access to yet another account that may be a sign of compromise." + }, + { + "name": "tactics", + "value": "Persistence,PrivilegeEscalation" + }, + { + "name": "techniques", + "value": "T1098,T1078" } - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", + "description": "GitHub Hunting Query 8", + "parentId": "[variables('huntingQueryId8')]", + "contentId": "[variables('_huntingQuerycontentId8')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion8')]", "source": { "kind": "Solution", "name": "GitHub", @@ -3526,173 +3179,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "GitHub (using Webhooks) (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "GitHub", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "GitHub (using Webhooks) (using Azure Functions)", - "publisher": "Microsoft", - "descriptionMarkdown": "The [GitHub](https://www.github.com) webhook data connector provides the capability to ingest GitHub subscribed events into Microsoft Sentinel using [GitHub webhook events](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads). The connector provides ability to get events into Microsoft Sentinel which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \n\n **Note:** If you are intended to ingest Github Audit logs, Please refer to GitHub Enterprise Audit Log Connector from \"**Data Connectors**\" gallery.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "githubscanaudit_CL", - "baseQuery": "githubscanaudit_CL" - } - ], - "dataTypes": [ - { - "name": "githubscanaudit_CL", - "lastDataReceivedQuery": "githubscanaudit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "githubscanaudit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "sampleQueries": [ - { - "description": "GitHub Events - All Activities.", - "query": "githubscanaudit_CL\n | sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector has been built on http trigger based Azure Function. And it provides an endpoint to which github will be connected through it's webhook capability and posts the subscribed events into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "**Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Github Webhook connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the GitHub data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-GitHubwebhookAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region and deploy. \n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." - }, - { - "description": "**Option 2 - Manual Deployment of Azure Functions**\n\nUse the following step-by-step instructions to deploy the GitHub webhook data connector manually with Azure Functions (Deployment via Visual Studio Code)." - }, - { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-GitHubWebhookAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. GitHubXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional) - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." - }, - { - "description": "**Post Deployment steps**\n\n" - }, - { - "description": "**STEP 1 - To get the Azure Function url**\n\n 1. Go to Azure function Overview page and Click on \"Functions\" in the left blade.\n 2. Click on the function called \"GithubwebhookConnector\".\n 3. Go to \"GetFunctionurl\" and copy the function url." - }, - { - "description": "**STEP 2 - Configure Webhook to Github Organization**\n\n 1. Go to [GitHub](https://www.github.com) and open your account and click on \"Your Organizations.\"\n 2. Click on Settings.\n 3. Click on \"Webhooks\" and enter the function app url which was copied from above STEP 1 under payload URL textbox. \n 4. Choose content type as \"application/json\". \n 5. Subscribe for events and Click on \"Add Webhook\"" - }, - { - "description": "*Now we are done with the github Webhook configuration. Once the github events triggered and after the delay of 20 to 30 mins (As there will be a dealy for LogAnalytics to spin up the resources for the first time), you should be able to see all the transactional events from the Github into LogAnalytics workspace table called \"githubscanaudit_CL\".*\n\n For more details, Click [here](https://aka.ms/sentinel-gitHubwebhooksteps)" - } - ], - "id": "[variables('_uiConfigId2')]" - } + "contentId": "[variables('_huntingQuerycontentId8')]", + "contentKind": "HuntingQuery", + "displayName": "GitHub User Grants Access and Other User Grants Access", + "contentProductId": "[variables('_huntingQuerycontentProductId8')]", + "id": "[variables('_huntingQuerycontentProductId8')]", + "version": "[variables('huntingQueryVersion8')]" } }, { @@ -3705,7 +3197,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "GitHub", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The GitHub Solution for Microsoft Sentinel enables you to easily ingest events and logs from GitHub to Microsoft Sentinel using GitHub audit log API and webhooks. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Codeless Connector Platform (CCP) (used in GitHub Enterprise Audit Log data connector)

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 2, Parsers: 4, Workbooks: 2, Analytic Rules: 14, Hunting Queries: 8

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The GitHub Solution for Microsoft Sentinel enables you to easily ingest events and logs from GitHub to Microsoft Sentinel using GitHub audit log API and webhooks. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Codeless Connector Platform (CCP) (used in GitHub Enterprise Audit Log data connector)

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 3, Workbooks: 2, Analytic Rules: 14, Hunting Queries: 8

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3730,6 +3222,26 @@ "dependencies": { "operator": "AND", "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "Parser", + "contentId": "[variables('_parserContentId1')]", + "version": "[variables('parserVersion1')]" + }, + { + "kind": "Parser", + "contentId": "[variables('_parserContentId2')]", + "version": "[variables('parserVersion2')]" + }, + { + "kind": "Parser", + "contentId": "[variables('_parserContentId3')]", + "version": "[variables('parserVersion3')]" + }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", @@ -3849,36 +3361,6 @@ "kind": "HuntingQuery", "contentId": "[variables('_huntingQuerycontentId8')]", "version": "[variables('huntingQueryVersion8')]" - }, - { - "kind": "Parser", - "contentId": "[variables('_parserContentId1')]", - "version": "[variables('parserVersion1')]" - }, - { - "kind": "Parser", - "contentId": "[variables('_parserContentId2')]", - "version": "[variables('parserVersion2')]" - }, - { - "kind": "Parser", - "contentId": "[variables('_parserContentId3')]", - "version": "[variables('parserVersion3')]" - }, - { - "kind": "Parser", - "contentId": "[variables('_parserContentId4')]", - "version": "[variables('parserVersion4')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" } ] }, diff --git a/Solutions/GitHub/data/system_generated_metadata.json b/Solutions/GitHub/data/system_generated_metadata.json new file mode 100644 index 00000000000..ed21e32265c --- /dev/null +++ b/Solutions/GitHub/data/system_generated_metadata.json @@ -0,0 +1,33 @@ +{ + "Name": "GitHub", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [GitHub](https://github.com/) Solution for Microsoft Sentinel enables you to easily ingest events and logs from GitHub to Microsoft Sentinel using GitHub audit log API and webhooks. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n 1. [Codeless Connector Platform (CCP) (used in GitHub Enterprise Audit Log data connector)](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal) \r\n \r\n 2. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)", + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\GitHub", + "TemplateSpec": true, + "Is1PConnector": false, + "Version": "3.0.1", + "publisherId": "microsoftcorporation1622712991604", + "offerId": "sentinel4github", + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "DevOps" + ] + }, + "firstPublishDate": "2021-10-18", + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "Data Connectors": "[\n \"Data Connectors/GithubWebhook/GithubWebhook_API_FunctionApp.json\"\n]", + "Parsers": "[\n \"GitHubAuditData.txt\",\n \"GitHubCodeScanningData.txt\",\n \"GitHubDependabotData.txt\",\n \"GithubSecretScanningData.txt\"\n]", + "Workbooks": "[\n \"Workbooks/GitHubAdvancedSecurity.json\",\n \"Workbooks/GitHub.json\"\n]", + "Analytic Rules": "[\n \"(Preview) GitHub - A payment method was removed.yaml\",\n \"(Preview) GitHub - Activities from Infrequent Country.yaml\",\n \"(Preview) GitHub - Oauth application - a client secret was removed.yaml\",\n \"(Preview) GitHub - Repository was created.yaml\",\n \"(Preview) GitHub - Repository was destroyed.yaml\",\n \"(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml\",\n \"(Preview) GitHub - User visibility Was changed.yaml\",\n \"(Preview) GitHub - User was added to the organization.yaml\",\n \"(Preview) GitHub - User was blocked.yaml\",\n \"(Preview) GitHub - User was invited to the repository.yaml\",\n \"(Preview) GitHub - pull request was created.yaml\",\n \"(Preview) GitHub - pull request was merged.yaml\",\n \"NRT Two Factor Authentication Disabled.yaml\",\n \"Security Vulnerability in Repo.yaml\"\n]", + "Hunting Queries": "[\n \"First Time User Invite and Add Member to Org.yaml\",\n \"Inactive or New Account Usage.yaml\",\n \"Mass Deletion of Repositories .yaml\",\n \"Oauth App Restrictions Disabled.yaml\",\n \"Org Repositories Default Permissions Change.yaml\",\n \"Repository Permission Switched to Public.yaml\",\n \"User First Time Repository Delete Activity.yaml\",\n \"User Grant Access and Grants Other Access.yaml\"\n]" +} From d03faf31b87bb108c4d1a9025531f39bf7533cf9 Mon Sep 17 00:00:00 2001 From: v-atulyadav <104008048+v-atulyadav@users.noreply.github.com> Date: Wed, 27 Sep 2023 15:20:53 +0530 Subject: [PATCH 3/4] resolved validation failures --- Solutions/GitHub/Package/3.0.1.zip | Bin 30671 -> 32087 bytes Solutions/GitHub/Package/mainTemplate.json | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/GitHub/Package/3.0.1.zip b/Solutions/GitHub/Package/3.0.1.zip index deb1d5638db68f091349d29f60c22151b96c25ce..f48ffe98ddc10b6c8bc621696d54b43640536593 100644 GIT binary patch literal 32087 zcmV)$K#spqO9KQH0000800DYCR~^2?GF=V;07z8;02crN0Aq4xVRU6xX+&jaX>MtB zX>V>WYIARH?Oc0r8#faF|A6}rgn9={fgZN|N`uQ4I=f8+B#kd|8XV#vpmr&VHFvos zxl)y0zWdD#xi3BZNF+as3j*8Aoh3Olzj=||{o}8HVXXBx8%;&RTaQ?4>Re_Y4Fmd->5>O5;q15w=-^dA{-C_#UI!Njgd~r za#A%wleBN-2X10$9CKwwx4bjrRz|i?42`j{k&&4TBmYAt6J|~H_^gzU;q(4Px@kVj ztuQd6LkXd5h!g*__X-+iD%1dk1(O^+(-Un6Po(=PANB2Qa@Ly5*iE6|Z@YEjkVIt)tB`jO$90!A;rCPu^6JZ?_Ga$1J0K=4?ST;5~ zVSYFyUejG}k*Pq!^H@53k_}IuQZH;SMpLcNZJ(VY*Gr=#vWN~quNEJK7fs9^hZ!M} zVRLQHN7zG`{gw*@Q+4=cM95`PZXHaK1HK(lU{^AYw8^x=+n!b?nb9-h`;+MmIF%Dl zLV_ESu<+zW&X5tDR}ut|(17320X>*0?m(sqvm(lkbc_C(IZGM+c<|tL8VjQq*heL$ zQxQ#54f2q{GT=5wR8>!rL<+z#$IpR^vsh#TI!mJk!&XrESSzLH1fE)lo?ELE!SopE z07K=oIG_Mn0HOkXL7s0)YMp$q^I1-Oz@<&_+WFdnOJLm!`Pq=}n>H15&ep46|wj5&15Dm}C zh`r2#UwZH>Z2u`oflS!H!RDmD@es#)`%G|?dK=**ox3$oVZ}KTSA~c>?7wWam%?qW zde+9nrF#WUc3Rz92(kI79z$x;1#UtIV8W3&0Y4yPAHCkzDOf!=z9>*?pO?XSP>x(5 zb<=}fJ@x*>4$yzujHCXtV)Oy|E0XvHy*0WZtzAG2u$K{0j=@*hR-N!&b@8z-GNmKF zR$LI_IoigaOiU>Y@p}DP{0GiEGtFPnBB()Q>~e_ z5<*0gIBb}Dq0lEr=h@2qIr_^VewP*@40oN$>m3z;hChmqtJI`~Mm;BLr!%TvWI-^zdDXrD1L@rts5ynzsg2hIQN@5no$ss-?Pw4$n zxG#eY7zqKwk^<`&aieeWO5PJ=?{6pM+)P`EbmFG%h7jAGK62RU?swj`nxcldYu!4K zOf@EWttUU6HjxQwqMOo)Fh0PeT{lh`NXFg0nl)V2fWGIM?1cpN@!|gAesBL_Z~tHq zCcI9&<&@TGaehSw9_b{3y!zPa>=+Wd2DRcNp^$t%8Xz)6Vyac_bMIHA9|-UphF(HJ z3?s&vaL%PtOrhR&s%ns^A;Ml064n{WMx9;JDH)E4f8h#LP6|wT*7ksGd-G`TH4R{| z)1M)Emj${Gd;CufzL@aZw$sm`M-%RW<~v>oO#xr@CzKtkpeh(M;Cg{kR8Rzgxm7Vp|#!ulk6(#449mCkjA&S9lL7II>Hf z2YS^qrLgPKv=q!6L?gvxaVj0n=0Zy0v$d5-x9rf@&+GtFo8R3^yxC|Ur$GHL2nFXW zkLb)t&6QAs-QgGo;LE}#)I63D-Av`Es0rm9`w!&m5l<=TglsUB1FFaYiy~r8;ZoXB zpAE+V&048N1KYAb^W`mOY?yHS3Z_=5RFeaTU8U-iT*f?&DDn1bM3w4e=GJdD#qqIz z*^G%-Q(2E}#oVys#2USEZ??vJDDX9@#SGpn)Yk)$!v_VeFDp}^=SqG6I((EntRKZ{ zb6HT1ghM4l>1TxUwH;JNu^dBD4V^L+fTboJmJ*ceCbfBAWU*k3jf8R$Dyg2+J@~~S zLxoHnZd$<;tP7}QE-OJuWK#(`0N%Q6>NDpq7NQW}QnyrcB8b5AWguICL<9^NsmX({ z%3=E;0eqhy?iwCA$hsSKFSk+wgh`_9)b+7EF!cgbZ`GF0u29y6>I{4C6+JI^{IS{4 z6n1q{rqh>a7%N$OGiO-64T;jTK+%lMP=`ZQ2A5JKb4R6DLaW+PBD69nvYXEx>$IMK zHv(NVx~!k!b>m7ovm16y^`({4GZm9*+YZ|KRH%%Wd?t{q6iYtVJ0+B=BW9gh063LT zr8d~05i&*iEY+;0zKJ(>9RO#52mJh-|f zUkO^SS$UuoNXS}Vg)p*0xXIS=-#SUJ%yq5J5$W~SPmf&y0pD$~zb6fY0&^->h(RJV zC`gNfwp^S9>k(A0Q;JtEv92g`MU^WJ@9LM=)9p0^<7K){bEUSe&coYMCo=Q7il{EG z7(dH(qxJD~xc2s^#?Q5bvCoU2>t}e~_*u^EF2v8~ZbUIPW^$~E!dke!G#G}xn_4y1 z=*jLdC|1(^(+9;^ILvt66s2u@zBK;+&1pZ0-ply$3GGbuN>1O?ro{XDj_@V+{Tbrl zW)N+MU9CvUPdBpX><0o zn6o1drMlT(+Evc~4k042TkO*KtP25=YTU4mfKRo+tyyYA%`;r?#7bwhAis_0Etp^3 z;_1R)7VB!-On53kP}esMk}tOik~J>m1<&1-@hnp^NUjHBjFd#Xg7nk~w^Oh3yTzs=dTm&?n&Ncgy(>Bo%Bg?V0Sov%n3g6rs6oA9t*mH=n6YG%>IVEig`IB~t z4_xvOd4$FGB%}SH+?1uFoTNQjp3b8sA>KGuMkm7bn9&A{9LwSiip?X4+O*;%a7_ur zmX1X@Nhb}9gi_fQYIsa(fGV6q0J<^mOyN;7jByc9`=qn=92pVk{!oTsM%r_n3XdYp zC+Qp?9?ya@*f}1Z!z5@6f6h}njTn2)`>B>YNVxq^g|9ZTKL$F{EKhwAhh}rL7VzyB zEntmjd~HLXIg$#we}jQz%0U6!caGoQnni4Mj`?Qx?}dMScmwFbr~w8Kjv;Ku)N75c zgXG~I1<8d{xEEOY?uM{3LQU+zeSCL^kr8+<&WTq!*S$c-!Tt?FL#8uY&rPAfgS)t3yn*@qfsAdg7heS#i7>lJR1faby74Ap zc;4>^F1EQu{PW9GcEhFo!R@U9|G$?16V>tu+g$oyIN6VshC%~pDoLS7jC1LZ+*7@tBbPz;=?rIQ1Wm7ZN9oFD%CE%^4B10 zo@}{@^1A0+nlrn5hg`z^SeW3Yhg%>TVv7~aPtt)?bSmfp!>NpoCta3ZL<0?1Gyf&Q z{#nnv1U7eYSfwVw#WstN;17P326C!XnF#ijDl^EEk`abENT7ysTwDTd(5G(An>N_G zU58q?kVP5)=`HxYe18Nog@G?!p*bmKvb-1;%nD4GdeH*~J#oFjX;55&tT+%}Kp1o^(sVmxwwA`FPglHPWKvfDd|b0w55d!?)r2l=L) zq;wUC-8?9Ea3%-SYG&usMN@pC7*EP(M$Ql@xSEuYl#F%)lUqEb^C>X#r@8#TfIp?M zL0ESZINLnRvRb+khA92nO@e%Tr&q2C73u6!`BhYLl-~em0*vk=Mz(pNrHDAl`V+&k zhzOMwmJBa26I^q1C*ZlgQ!Q7luBz|2Rawsj#e#4t>u#QEl3G!b&!-Yn7+l2n#I{De z5N?J31`t&9`U+7`Ro~)jy(JrJf8wWi0A=mZ`20>+{FZZN zizl$LTMR$1Mqc_(4}EK=;GyxIomPXh;-cLkslJGWG;2mHKJY{`g&*+$e^5&U1QY-O z00;nqdOKG}CBn7*Z2$lW`UC(G0001OVQFquWo>Y5VRU6KYIARH)LnaX+qRbfe`oeP zVBMXutubX$q+Z$G&iW>4>)AZKvD561lW8Cllz2^%EFX5<-hB6a4ggXV2|lFQitF3C zb;$$ZoP*za0Wk6Bzy1p$2mc;hOSYm1&&a_tNy7Nq>8W_qUs0bf*oyf{pZ<|XtZxM? z`7S;k4)mEeFtvexYO~M_?vd__twN6`tpE2o@P9Zs;R9HKpTN6cSrog0kK^e50sc?E zU$KPRG(isj#0T(*rpYphko2`{ML`@m3DHQLhG7sT|GmndAw!}QKFkVPh_TgW;H3!+ zMiR*oae|2a>?XgY^8=*+DuxbeL}7T~tT4D2STqrw%17`pxepok94C?MFS0?Ad)I%( z{6(^axBB|A%^aF~$*eHv(=s+cle?vBEr}Zwn?>#|4CzF{ij%)OBYA^^jPI}F zm#^9MRJ-h^-?AdNR@XJ)4+cCse8(0X5&;o_C2@w5Y;Izr0m>Mn0wII)Wz523k6HNJ z;mH~`M~B(_!{g&m?Xqu(+#p#!+B%8+AsdhQz$nN5t6)LSeCpjNt`);vvWStjZC!%l zxIXi6dSjNPVWTMXAh^*r?0UB;6m|%MT504a_wB~iP3kw9tcb~s&sIT(y9?r{p0`)t z@n6z&-O|XVbB`4rSBB?v8@tTCq!mQqHaSZ5@o+fNhqIYJ9+>@D&bqm9lO;IDOf|o4 zc66POb#%CXb9kJ4t^)`NuE#aj=%Ihh>55(QhsECV;opdfk$9=TFGLgr;)$M9r0(;; zcihFft*_gEVDlv^HSeZGRphDgs>m76BfRjz5d_h55!RZ=XlPL!uZFC4?5qp+1t?Jm z@1zGiw~wOruZOvX_uqz0K!AGZ&|%d3~KERWv1&s*5PFQ!9s*HU6?l+h&v_7nko@sa&>pG1o ze%^hlb=e9l8K0i-^Dh5hTVWvV`xLAp$)&6 zp$*lBHmozWVY{Jq)XyFbZP;XJ!&XCUz(SvGEW;9uw(Q0kA=xDRG8Z8$2 zYPGcuZ9W-WGumvetn#dyuFoYhip|X6J#_g&zR{@1zSs=P+NH}pR}%%ZmWGhNGEJ}a z)SNAD*b-xGy`c2_EH|vVGqUlwm1N+dW>Q!)D zHjiCWzq|R)=8-|MY9K0wRZOI81dZC6 zVQexUv-#YatW{dyPjOzZ;0QqtiCiiDiMDKYYxB+%_c>U?HM!@C>Q32_h$D#z= zWy6)Mr;g8>(Z5URppA)BtpppEq@emHhfH_RSMuEyJd~>C_op%o&;E7R#u3EHza<+?!&UW0W$_MhFIQ@faNngG-80-(rKt+b?Ql0c!rkl$_hAd% z%}#JP>)~!bI^509a5tYQ+|6y^Za#guo891E7F$6w>InByN4Og;a36Jo`=}o7qeqAP zs59J0PZaK>ZQwq7`fwk0gL_$Q1<5#ryWR|UPG>mIz;U3AwP#~PGY8f{n-7hVW|#xh zndu{H+ig|txD(vR^>80QI^4&d;XZz%a3602_wmz*`?wq2%VH}?CLO)|q>FbS4y;)V z+$WvjKB zPahrb)6Q_8K2f+&w}Jcg>BD{64en*J6(qBcaG!OA`?Lk_vrcfI)x&-E=y0EPhWqS^ z!hN<4+-FZ8?z3)iFN>`p(FYyzE(qHIZ?>m1qN7&C>w|`^rop3Q9*6G;ddW>2ZugIR zE<OSiKAK!PU3bt$N4pSiJ%Hd)Q^&Vw?5J?z3*U(fU`| zY3;hz+F`F%@4DG42sNVzu~HP-*MHS>Xxg%)t;;V7ua;wJMOwx zBv;Yo`>riZm4a|IGp+H+u(gRkqk#OOq0I-wsb-9sVd@4O8$;HH{BAq1dc)SM{`h;Z zdiTv&{i*K0>RWBU>VJX#SH0r~Y(;VvjoB6XoN#0sW5=B6fOmkusatbxZWx9(9!+Pu zGo4N>vu#sK@3sl6H|)adkG~D8ci)HApXx@ezST~w{ukJa)jRIRRwQ4h_$T0t|4mtR zUw`JZNVOgl>70RWz(1D8#uRWr9Z<-1*i_T!_QbNL=5(qT{&2g#pCatlREITOpEn+) zR2={>|Jh1WyLDsN4E|ltQ7(UPLVT?R8-Q0(ebYJ0k~;cPJ4A4hHt_F-qR z?V$+djGR>ShLqPo4)@EbJ(T4V% znP3ScYEE0gUP~n3)m~!yPB#V>`l4*gMi)a4EDVw z?mK|JlD9X3eV4R-zhGA-?J6X)zL{6lH0+qI6A2u zk<&T))G}>nu9*(5#?ToQsB>`i&SW&6*}6TRj%W+mD@P~QRP|tQIy(6vV4rpd`(92? z?f~}6$;l?L?{ac-zhGA#oKzvXEOj<`S>hc8j=h})zLZa@!d7UB>aCPc3Wu`E&(Y>z zPzHIfh0N9O={DO&jWOrg*#4PD6&_B|X74e>d0EsWT$%kB!K zJ{2F5t^KZOWgWj@@?_(S;0M=A>(JKUfi5<*`A3`LxBgl!{Q39)aBGG`YTeL9#TOOP zaJ>Gm^{2IDFh#&v;ub$ZEJfbSUVc|v zO$U^2<%`?J&r~Z}=`Kv?o*OS& zv@tI=#086gO`{t-xZ~=+S~7Ai*!gsn8R*^JU0-}W4Q=w6+zAHD{z1-g%s+>2(U8tv z4-ksq?guIGY6B@}oX&CZIkO471z^VT9*A<5*I%|5@=J#DaYdswe|BKS1qM%<4^HBi zc{ss^XOcD7yg9UE?xLR%$WqR zrQ$g<3NTy&qrOd60k~4~(f{a^UhfSI`mEO@=MMHxXoS~D03Y%)iuE*sDhdB4FY$r} z@O0rZ3gbk~VG&Zw8F>kfqY(IJk{WL;$ZcC(#_;i=*Tb(LuAj%f-p2#7pq>Z0SHA|J zi-?9x%+6eu6U}~<28loT34bvCH`29U1qo=H12$q7!>cgV2)Os}LpYVJq!P79!Ab#No zG?A`W5E;OrQ5WRD$clbB+EB}Jxrw;x!;Sp_)2-y5lOI2T;-oXf`MrM*J_m3_cT!>& z{?B7+)tO4_Rd_2e;HVjk(`=*7S1={uZn7Eaq*(Bbe+Onsfo*74?&(KD7r~KX*J&Ko z`|VRfZ>j6aNK%(spv5ONNpXtw8qFTK@rBINo)L$7F;mffRWktra^=RD_|;@VoGMFZ zFJubWG>Ns45h+*JzH{DK52#J{U$`;U0{2%?qha?E-i(Cd?+#H;3WNl26O#9}@F92< zjM(p~8!@}Vl-9)mO~bb&pWQrT55F=n&87#9DptpeYL1nLyaUf>2^LZXsrcTn#HckvIw zJb~IcFpr)40R(3_8`i0spV~kAWBv>^>#b)Sc>BSnhP|uyl zV3=_cTa9WeWohr~of%-OR2||Y3y=(iG=ECY!Vs?s+X<_s0Xl=#$y%HO__m#$ErOWq z#{dmJ)MdiLo${HI#(#uT>Fw1^ES0X7ptp4qxTGUs$V6VwJ^(_Ji}G{O?V zE@`Y!&S37KI9eBwK7slo450Qxjf)CVI``MeG{bx~!T2|juoN;wfV$1v4=O^tc?1ROxL z;pRcZXBX#0+;HjsA#4S_>QQ`5Fen5!%*WqBe?lkVILWVg?Oeb7pnw8V`7^R&){^>e zyy5|ekBuWnSi!;^;y{FF&!GM5p90Sd?oj`+xC2r`zmr{tp%$~~*0nZ%$M~S#B6Auq z@R<+c^cb1JWrs5Vd>NSfC6J?sd9>N;^_~OhftR;$UaoJjbhsuEZ^>PDJtTTE5`?)Y zl$S;(8w)w8Tzo>~IIvt^m~INw>*0C{VC4Mu#oKpRXK$|16a0-iI5nb6J}mSh*GfKQ zW|<9g0-oYlc-TBNlJggY559hK5xG##+;jCFLD?fLKXi*Xb>?z5#qgpRY>Zuv(Tk{W zSFI&>z*&88`R$1f14`mt>T|m`9EhK~*qr@9IX-9JM%n?oZS1r@55=Fno_!vK_qc}p ziVx6`Z8UWEz4R-w1W?;U z+v~lM&P?Wf;F9KPk_6~9z(I&b-jB)kzgU%hLWc8V1Bs=ytqA2}RE;4m(&qOX{(B?SCR`Ty%B!CSezWM8GKDF00p^_u3mQJmxiT6hmW#s2{Y;$<5zAw_m9 zw3rbRx!J|H&ZXOU5#0H>i>1obQNlKB|FE|9Y#1;l7~S<)pS=8%L{OF!JQC&Ja>L-8 zRk$nb71;sRtiluwrZ4mV>6rm)YH1M$Abwh_mJzQ^sV#8hdz^LnQ^!KnFf-i76~YaZubh$xDUfnSZ&36o>j;+? zBnxi2w1cYii1inJ>FECte~zV&SV75@M0lod#R?j};698P{i$r=xO6I1BKI!4v%Xb2${Na3LZn1fp}l^6n(_>lM~<*}3TW!S0H}Kwibe z$a(JeP(M=hF@Oae5xTyF&QI1|kT-xVTBYQ@K`=S9ZNjLv%yRU#Pg69)WYPvVZ1bGv zM4pLTGB-l-hJ0@opvX^m$~7CT>tm+Hcytio9zVlGJ^7fd>){ur2T*Q_Ctk3~zbx@S za>-F3*Q|~qx5JFBOn@Hp7V_`RLBo5JeNrOkYgqZhqgZCMU5;{Mc|mFmv%?cAp~p@* z1wT||iPtB%HY^u4xNL;)PX9+CC;2(JeSayaVWe9(3VZ}LOb6)3b?ysoW$;?7TLh42 z05GF_0RUcyt#2> z$@BjgG2a2Bc^i^;NQtB_%C@{u?)K5)zE&;!#fI6z00~IKG)Zs(QnH?>zx!s^0Tk-M zL4p)TmBNPvR2J&U%*y;#R@R4mga<)*5Y8oHN&Ojk)!RuHhu#jK$&n8lbTD!~TtJ=9 zL0UYsm<=)R$Ac;;bjI9cU0}OIY`v#u0bTXMP{4Jk(?T9OYB^)HX!kD3Rt|1Ku+1PBih>d+!}3;8 z`DDWYl%g}Ak_r<8Dzzcer*zON+oxzrd>76~9;tLNA|`e0Q`L#Z!EKtvbjKC!3)cJu ziDrCGHk2~WNR9OwsWp*tO+e4i0Tm5gYQ_{$Cwn~&Hp_ot&&~ent%ybuWm-pI)EL@; zz=au;Wl_GrQ6u?{hwZru5EuOUw>Pi%(QlwJl=RJ`Lyr;olVRW|Xc3VFGMqeEKSuWk z6u=m)@0lqW625+)#%E{FS}6s2>~ki{+E|*hOCA!PRG2ifqR{QoU9;S8D4XV0zY)); zQ?QA1KQaqwKuOvW^KOdTAamJKF!_RIImf12{gAAv^uJB+TO0;)3}#^!rqw)D9!U@6 zky3_bnF#(wT9iSlaKI-asp+D;(%}#%IZE?JJ?3DnNna6HC9jKglc?^hAKPJdovArF0FJy za}2Cn1yz+ECuN+;88MO5dYAYLOZ!GI>E`pj`BiC8)Gm5d(R>tl`|OD2l|!N3P+4?D zTD_f6U?1e#1=a0=%p#&+|BKfB^6P!(V}|v;%DP@@Juh0vE3eY~26;CT?y&p-|T;p+EwP#h1-)`cu+q{8bvQ%`u){Mm!AE(VbMq6oAp5plI=kh~Y zaME2J!evjk*LR{luUq-2e$A(S^H2F^ft&nOy`@g`Y5~p#&Sa{?oNeAJPwg&rTDRnZ z#wrIHi%;bip2jUYg{wkWN;P%OXu&DlqRD+xr)#U8s$B*16`YdQ&_f^Mt227g!|iDNTDyb6Zbo zE+7u&Ph&1nxjl8c%)r^xl^cG#viii@QZ_V$)rtF**c+8M5xnjw_s#6MJvm2=2Asn zLZ^hMT^g&G30J$APl7*j8S9T>O$=fmG3~fN3lUnt=X=bx?YpzS zx8K03@bjWkbTI@aFrEZA{+|Ij@q4>rblXQo0k+akN^(j1ctKaeew;kN@~2^pVK$FS zMG?Hhnv{ydNGa>$Q|Yt4*()^bG&R%GoMHMyTC9)Iucqm5#!~`6g6pP!cn%MBG~h-t zk~AzwAx?u9C`iR zI<9?pj54QCV#K(n{0}gvUko!fpzr$G8ROE!|IHQAkD_+o(H2cl9_emq*_pYw#&pc4 zeOs=r#U)d_h3cf?z={&lmDl7EP%`RnY94_O+HUL2BS4LjoYRJM{VdEJV6gR)_nI|X zF{0^@x)Wc#%4LodE@DY4*B_gP)lsY-W?EFvDnO}Ul};x>XR1Itt5{`>xFCT*smuT+ zvkX)|Fvx#&u@yFffR@N65D=-KO#*=eZ6Ie3P?bRiTfR6Y0Bwz2tV}L|l9Z)27N@BX zS26fxCH%l@4(7tnof%!wI&+mKKHqt(Da$IA>a?OfpW&IAP_S zFJakF7XA8kcD0NxMki`>pGH(b2enVPHh*VDt6P7qLoGYS#HeFQ}uxruB< zQBhscCkLq$-5}9f{5kyIaME#s=i(r-kCUQ;%1o%E`N%&IUa<1BFdU(DC*|T$(}S zeC14xZv3U;&Wx-&jOw^;+YY9pP<3Q>BXbolb!P<|nVoIf$m}e?k*T-aoZ2=rjrH4& z%#toW|FIjHc@OMHW*r-uva~L`k(uX#EV`emw5{}hrb1a-adDdZ@Tb-7XV!%;)v=$M zKmUtuYv$Hzy;SdEcBhxhm-xw)0{`qMZWDPH`=A3c zr5i89A8d~E%b0Uz{;P6hiecRM>vVS2>czKo-g3R*y1d*1Pj=gOW+f%4BeMIlt8jpi zRg_D2wtZP+{dQlrqyx@>?7nQ?1G_I<$G)sAt&8ra)A3b{BR1yQuiNK^T6qnQd3QkIHWk;m!Cb z8+Rx9Wt+BBIajgQPnPFa6}b!tVH0(`nt6hfEC_}qxr<6lQUO=^^e$vg0Y&1$BRkJZYYiq|y-Y=Bs%ePCT;_R@RO>HRWe_YpIl2QUy3-kM5pfpB8R+L~)^)s_|F z$dVVW3?}?!@?-2!e8uiIh6m(2aeVeOxuz(6 zLTqu`J8w=^?K^Dv+1c4?i~M|L)$-d8XkmI;3(CjuR5gwp#xEv%6(fdA|W zGW-Yo^_y>C=6gGzwSt@8e$9<9dYNRbuOPk)A71-6cwaIUxN%2u2_|YuMShCHal#8d zRcm?l1HZF=WLv>!;hHi>3;yPI0DA=Uo2>C+YA^<>!Pwgo+4|;m*gERoxXqi>!5L`e zqjvNBo`FH`gCVB4^hSo9a>e-Uy&(ouy6mm0gBB3)dA$!OBXW2_& zuN-L$UR8v^GYpEb{qyWOVW@or9zPrUQuKXO9NBNN-MX<6+ z4Elbmkjfz%?4|bwi@9RZV)ntADj(N+ehceP45is-eb4pHqZU@R`bMbpAG%<Jw9r;n9W~p-ZfAJo9-W=E&+F|Oo;z~*!6S!kw#Ax0nTzH0 zrgd}#J?I`c&xc3npqSbx&F%@9d$25e?NhIFdVF(IZ*O44BY#$+KY0andep`C`)AOF zuGeZFpA3i1E_ANhcF()#XE&|(pzire_cP3$F_e+}@foFdNG$k&2HxzBylb~4wNK=Y z3No)GtDwj5;eg6-Yx*ZCHASTjDlK{THKPMMc{+gm&g3fhL=ljC*%QSCdYE{JigPZ<;i5}QjdURSF6_9Cw z5C9;v@ovWUH17J#aE(J(REf0Gwz)|CDculH4cg4kxMDslO z^KO`0?Q*@qT6A%+Mu;)EXHmVh4< zGfgOuCJBA>o*M{+XNXysm~_AJN5gOw(msPT{X>K;W_E;BN#b&5D|#nBPAdx|I(pig zs7ou=lRivq8ARd3L|;kbLuadbB|gsd?X??y(N~2|bGDYZ>`7X|qdy|Wz<||Ru$_~v z0ZTXrY_hJk$x3V9+HEqqKjxlG#@dxQSXeOaZv7@+HG{0sK&WC6S`%({Cfte`E=wn{ zL9uyQj(?UlFs*^OV%DjHZ_1jW<&4Lr4b_b`G1D)WG%|rWrP*jRa~8;$8t!8J5Jnzp z8`;F*-FzjQEc9-pckXO>$4o0(oJjpQVKjDUw4-e_nMVH2EVm*u5h`sbd64eG{Dp8I zXc@M(3t!{XhnE4WOX|2kIr>v~ar?=*QDR0f? zNbxqnj!9d~n}pPW+f-xFuHP$?Z0)h*de?HfZ{|^O7DXJCmQ*(lsx9fN0p5jhAv}hu*~5Xuyh^BBI4{oUu5r*j&>& zbW%`YgG`R08+o)%&=?7OO5(%@!7artNB~!L%Oo*S8rr}yF-q)24HH|TCDYR|Lk9Qi597Lxgh8w(d(BspBB z^jL7p46OXCBo|CVGfWX~qObRgx6$)IE)G?Fr0lcLq4hd9(s%J0#1hZBv8H3zG zOh>Q5I@y4cYKV@b8W+-FgVhlF*ij3C23TvfC)|vK~>gYs`a3<=N8}I`Hj{Rig=eDA<^~g~ zczXCLiGT&I0WYC9saq<#G7SlaCwqe4*-t`&6(r&$Ip!8l_%Y(&gE*iHr^jFjrVHM4YWa8` zn9Wcq;AhB!_{aaAyQAxnVk^lA=biJ+w64s7(42T6l56An9;nkD9nCpP*Q#ZIOEn6g zk4?Dr?m{`+4|A&~h6?<#m|d6|N@5qvj@GcO?Zho$u_WobRL*nRv~kl(Ae4-%p=4C0 z`^>U+nl18P~rnqN*$_aD-$(V13{m>c&$-6FiG$56zp{{N8uT- zv@}ju8)MCwTx{mpoo0u26b|1^ZbDM*tvh=g;vN>G6-s7i3|?K{-bVgy%A=q7xjX+B z#P6LC&iGIwqpwVa$Q-ZGGt-7XgQEqa35{naER-`+h;I-a^{@C;W)j-Bx$^tnRkDTb{0kb$6YCsn1x2FR%~0kQTpU z-?56^D)OFHtZ0=_3^_F+$TDSU1cr!pmAj;0}F&(V=y|C~{7&yO7L)EYVb zGf__;f&YE|kpoft2mv@qk%_m7xg{rTx^UUf?1m6!kts(X#Zd5%*5}MVj_3Ip;X(@> zkUz!u*M_*RgRH5kA zwT1;Gavp6}ReM)B{!yP2-wLTl0aIhUOB$Peu_(3ae;tOSWOIE6f27;>Jd`jilY~N& zZQ`dm`Xky{yt*;_-hU9!Y~v@Nt7Ok7U)4>-inZOT9%jg>ep@DaVh6ZvBSIKD8;}s!f&-DC?dX#MeXQiA* zE>@>TZJO;r_udyg?j`gnn;9cDmafB@J7O+SQU*_4&_H$iCb&u7U0m$)Aa=Zc8k7I% z%3xGIzNfjHbtPzEIhJ`FKIjUJ!iU|g@s^HOz9W{JYMBEETcT()d8{*lU#*8IqMXwS zjb53<5Czft5#J(IYWn&9oxo^ZQHhO z>(6`M@BH`NaqsOO-E;IZ&>GdDg5lWY=pkDt!S}ArZB>jIDGg!q`$udQ&hr zRHyK1y)bSe2Tvd8I^Gp&rH#_;6?f8dV1Ttevw^MS7@WQK(Z;9)LzW8PLQy9D^(cj> z6762eos|I;!ADRS7{fic&6jauOf2$>owp-v-hxX*FUwzqu0%P*7j*9)c>dKwwqEDEyD8p>uG2 znaw*nf?nj>4e%t;+X@kfCM zEs#L_Utok9m}05&L)XiIeOp5&HkSRTK*caNq1TRjFzhht_XJ3AqkNJ{8nqj1Ar zQ?iI)w}R+s2H**-*9}R6dDzkAkq~1N&3&}3SW$}}LN6X6oT5#YRnID#+$!4_8JwD>fiIF%wjH+a9 zSCA38C{|Pc7=wZ|Zu3b+|0wInI_{(57iqc-suc@iL(?I0j`(64RW)uxa+|gdrvpO) z;z0%VbIe~0PMe@=EzATp)iuWj=mz38(!r!#&}#%_=av;z#OsmlkObBT*>(9Z zW8b)Q@$CLGOMWiS*>gl&W!99HFP)BPO#3F-lr^l23_Dz$sk~S1pi1?=XqsL$WS0;B z*vJS(mnsNbM%wX_As4%~^eD{aL;b|C!a%5|ePv-k=rQ zzKK=P&P#_Il2{z8iWX9TnQ=EIPO4y|D?+@#+1P-wGD&cxKo(7RIVF(<6W!*q8z$iw z9DP|k!|Qd(Y04jZoaJ1c?aNo@1-)mp=gcYYRLR^lx=wv}p?X+8q5JOT)QZ`^M>Nt= zug&$rdXfJ7^e;|>)CTnfoyw_7lW7j72x4lIe0~vz;xmNy`97ud-lTSw4g+T12)8Eh zpJVcqOBJ!-#K{bCR4ISq7D&yDT<|CF?N)#>a4I_Mjk?JV12OLk>XBuLMR^EL~f5OU+bym zN-G&RqPdbRGK_FwDCCSQp!%Og?!-x=l6*lxxG=MbyBk!##!jxsrd$0Q2*b5*=0fb2 z3|M#p{cIYtekZ#Q{#_*o&rKsmrz?wmtEM!{y29wn*Awkzff4Rn98pttyS9HkZN!1r zXX*S6#P?6{loF6yq_n(}?A@h5|85e)>k@b`3;Ix*#HdT_#E{Ki*bkO!D~s0=pgK!9 zgncZDXUXmwlTKquWFniul!_7tV6{4|dgX?tvGHdXlV~~U%jhK}2eTfGRma!x@W*w^ z`hJ%JY45&&(rt+R)Ijv5EXMU%34~93g0E~V$@}hYz{sk5t2q~CWgY|y$l9P1_;)}*o$~l)IZ_jBy+u!R82zC8j zCjYZOVKVoe-Y2Ya2?Viwjjw7Qnml&`m53B$aR)zVE&EycY{v)#8EVKL631Kc8)YDr z0r40+zPe*XZg1=JP=bFQZS7@n1sGOFGY9~b^s+}l0STz-_iPKdkcBjN{iCRK zg@sb-fwUB-e`0;xE?1t>b#OP(F^C>v#P^a=^+k-T=Kn}h4?^vzzGM~@z%>@3sP>sFr{FK)afC9-e6Ya zjDJPKoWEE8gt6_*4u}KfdEYoPzJaH3bas6#BJ1NE(S=-83>1sU`rq_~0=IVgdKC?HL!~~G zEt&YJv-Q{xURDy`Rhf-4rM3Y1bDDXdA(4hXEbq+008(R`Z+E(SI=*HyH)@rVH#=Yl zYldJ^u|F{2`hhE9(}g%6Nc2;xA$OHeg5a7FM5Gytq3f{r6Ff|*t+P?PcFCihy`U+A zGJeX$wa&1{L1*3IDo-7&tDE)yFj+b~Me6?}7m^z*dG^pUC(w{7MRP`{l+K;K5gb>$ z(=Iwr@#!I#8@gW3q32+@^dstxIM zz`--hNT+@5huFxbX8-~t0&r9Ib$RlYF79fu9QLy;ed4RIsz9CDO?JgFQ-dGl(AxE* zAx8kg)}wC6f^YJ)qmJ*yeNNHab3QJ}d+B@)VW`raR3nXId(q$tf$!pY{<{PldOtt7 zN9|n>L8z`k?N?epsaxvSg9bIS_oL3NQpPK96NFR2^Q?esiKPe*n{;+q?T`8=s3kJ( z5m6`Z;ty8w217Nt3P*rswecP#^y)--(N@JHK=F7Y)Ezz%mihuNDW|fA%$|DCHlqVY zU1N~M_+mdxG^0_mK?0CgX;>+mrjeJHbzR0U`$0UZ^5Z88*5Qf6PlZ&G*>wtrc=7@m z)=$QfvYt$SsLhZGIsBjw$`9wJb4q_~tC|w~YORWX6{4xvbO*(-n&% zjdTTLUp>yftj3lGWTN%1Ce>GY|?XKmz@f zGwfo9KBj)cMGhhNfVgA+hF?K0iX#%#+m;4ikQA-OR5=nH92wdvT(UF$j&ui8rE-lL zhP41Sp*~k99KKRuQYxlrAbaWAdwg@uFw-fCMt^GKp=N~Q9!82a#@;HVfr@SWeeS&% ztIHTMK+M;X89^Ys%eGc%1=tO(X+Z=8S2S;D!+DV#ig`~UuB^no zFhsBr$Amdo@ybPwV+-M|iyBCx>EpnxplLpe!ud(j8jjl!KB!jTOIAR~j=H0rkI$x6 zlcsoPl`pfIGZmNmDUIY@VG8=H15Z9mzv`#&6sW@+_0VzP^N}KlKv)L7tt zPXydePR^_P;VD&>O1z86K)~$__hR>3TIpWc%-GZv{M4FuUu6C-)bG+CI}0iZRVC93 zljY!zPdI-xJLJX2SK>C@xLnyDzH+ijWA954ymNDNSakvbrqabtGyM_UxvjFDF!VMM zXRK)*E+q4Rl!@vL=C+4mxtli#);@A=s}u@3VWx;FHkmW~SW z27-mB_Vxb_$&_l502~-AilXebl$Z}rG&_;*B2t`ed4bBztO;HU2=K1h<=EE^oX^BZ zpj}{ke53b2-hd5gaGY&%9E>449(K(g#egM`tA@uf=IZh|EaeWZ@8Iz-CDTT>x(jl>9@M zOF}``FanMJF*ZYKY+&(=mW038;0AA>l7^$QC)#t;`&wR4@tkT=cq4o zlu>?~umVT7D>5B_2sW(WxAB8EEsxH?)}s~9}hKU?S{#q-i0Z5q30GXF3E zZ+F;TR1ePcJVw?7@MsUcYkIfj`G~V7fvSR<(QVL1%)jtiIB+u>0h56AP3&j+A)6uV zthb}e!|)|O+}EQacI|3uv(QeC8HeitG$bxr)0hsgbP?lQx^APs=@+060Tuw8Cm#|u zHFd^4a#v4CPym&O!h4UDck=B{BNH(%BO9h*3`?%wduUgpJfni zWz4Uow}a)Sexe!Uu-=zMUOY|Zz-m`7@bFswe2_cPO5l$?ryj7Yk5V&y6BY*MFuh{pibx zp+w2iPgbduA1frDX(u*(irgXu&Q|KP?(+W=2H24o8?WSao0Z_pf{z1u_2!95|HeR= z(UU#Pk)5mzda&4f(P42N0lF|>jzbhXTw6zwJCvyje%b-AqEbH zlW~U@@nFckN&97K@j*H>>oOobo&`k>CM(Ia75LRe-CGt`tb~jLsagjr)7qUXkHk4(hYdr7e01u-LV`XB zM%FGx$=WFatJ{IKPsIOIn7}}KLcNhqQVYHlK8J_ZLPcyE8L^E>ukmFdoczNsDKKQ#rv8VH z=B&DNg~Z3g+*GFrU$`kQlydVN_k}f35O?ploMNtz|AFi&b0(!BRKlU|8xhecEfwZ3 zr;?=}O{|eEBP;qb6jvG(A8@u^->QE@-qc%m;WqdXlK$m;#|ZVBqyTN zQnk|HHTg46b^Rr^AqvbUx|Sii)!8Q5}qjtT17vFv(Db?OTkcM#<-zAKD;) ze1vpRFK%BdlH>(P*=$#gJac<9b0gix3Ox7-&3$oYs&I%h;E~H0HsYlZ>WITs0wv{z zTTW4e#5z0vcI#Ic7@fJSoXys?aMf0H(Uo!uQIxX_CdWVdtBw^r{;v65s#0hZC-qQ5 z09sEMY>EJ%;4`N=SEq2AY) zT@K&fK1crURe|neBp;8>)zYSxoGD7Fw*)JT5`^CGxLeI`0hS(C2Toqyr*WOLPZU0t zhpHk=o+_YHn=34XGHdA(q0TZflTpGKS-9%7R{l_9R%F*Sy}zq6RD)wWvb8BzG1Elmvp$ z*y55?qrW@K+lBh-41wu329mpU(g!@rOgOI0U_v7wSW=hb-nF3Vrn#2=r{;7IiDSlh zOC4Psf$HnY)_OD46EjTGZm!Y&FUbe@x00$sWb8kI|A6Dy(<6hj&VS*PLJ z!sj?jXE+AV8o%#z`vVk_aC&nBqZbTeze`@B6VDIOH|_LucTkhfhm4QyUtucVpeh8!+1~9cOkJoZf zAY4%5b*8Qd6)bDIKC<=45{l6zj*nxtx3+ggzpo{V^WP*!e$tg>xqi}uWG0dS2SZ0H zpDFS=zF7A+6WU9~g*%Wzm+gKdMgKs1CY84UEkDR-3|5HbZz1u6Y$-7XUlbhDfL!FN zS?ozrgDlJ(0a@GrQ8A|E+@Y!rW|>D8mW68e>q@M_pXIz~f~%6Z3XjaCa7F$i zkvSzwInS-UuHz>L*3`+rI51+#>j~r+%-kdfrp=%+dMZQ~5&WXLmDVLgqOV0XkDDu{d(DE@IMCk~yZmdTP@ElFBMF5OY{G76W+u+( zggbvd%a^a^&T8_W+1 zY-p+QSmbKVtL4p8bi=8Gt0h3aMlcHB+s1-c2Y=1|ia%_m>?UE#Sus_<+Y{gC zro$iip+2>;@=_=NGV6xobis%m{%dVv?Ou6q!;0rrT0Gq(SX$r$GAXv@ZAo93qsbvR zBfQijOOlh@5R<7btkMlx^SuBsJG4F<9&G^vc_@U)0ba2T2WN(fLBXj{aM)Hs-@MFq zK%HnD7(%$`b_z#>l92E1U^Uw21G^CH1EM?%ty17qIjMTjwAnFzB)Tr?p=4dE?`Jl7 zS(lXoOL=Cci%zi1_b$#I}Lt&%++m(&U5@;Jb_@R6fMfG$q^H zG|C?|GWn_$&=UdbN+bmPC0;vss@6u^3_OmLrx5u?J_i&xO!t@CY0oBgZ$pmP$|viZ zN#3S)o`a~ssU9Krxv4z7(HYxHdD^7`C;`&k;KZe3)Kc1G!_!Uh+JBY(`ND{0k{a?w*4KtW)py{k3KA`OHD zV~@F;N$6DZH8LcM37E|E$gI%RR;uMk+btt7$fqou?ri+-*_iEwZWHA*IS8U6o1fLIon=_hb@J*UVMq3oA(f?^D!^=KS4to46 z-Mfmycgjrg_;&bmlIG7n95@Wv|0fwh03 zi*B%~!3;UG*rH0G$ub8{>N1#SF(qr8EV((Kpmn|Arnau`Z#FF%k?2h&NNL#{mLCnY zQXTu9aSwE|mb$6uBuYNWrLO1<^NPwnCkaBUtT}e@3W36IearW3%w8p5Af@3Xjw>C! zRM8k&vc{?g{ZkTSn3vBhJlNzegm531WQeC5t~Kt=i&0a>)@s&Sa0#4qwTI&rX+LRd zVWgHN%EFarg){~QsErA&{fL#yzl)Gy{|!qW(g!j*GG^!ST*b@6we_kHV#->|!&)jw zp?g+SpGleyPrqQd@zbeLW#UUU8RzOgKq#VG&d!mnOOKQZjZZN1Dy|Hm-$+R?oAb-I zsmhbp?WL-xo9R3=Z(X=i8RAF9uXbtANRv+-+ryxI3qg3(U?h4fBu^->S6D^=J85h} zPE(-WcE0)$WSQ({>J{!Rlfc?%?#Wn=&6?4cVr}d(FQu{4${=5qL52D_MtN9{Qn|=} z5SY_@=hRl#srx7Tvz40gBba$6JDd~Dq0SbHRXR@Fd~e^5^dDS*>W<0D&=*ir1P!;4 zHLaus!Ww!Xb_nHxSZJ<7RBIt)Ymfy;wGghYele=?G)jF8*!@7_I|orD&BwzDh&P9F zn45;Gbl2a=vHnAjfRo};(Z3VT(t=Q``ZS0N7wrQQRfG+z-p=7oDiXpdB#f%$!D^)x zkw(jvt5F6>J$6oS?Z*M8AoZ&XsSl!GO4bIt0BJr1XM_#E)t8@^k86$N!!Q>0%96@{ zMqAc-|HUZnxHvo!?x{u8Z2xku77asV&y{1T>t85O)1=MuoJYCK-1M?K&@e%>ks@q) zC{zl6-Hrg)`B)`hx#*b%v)-6`wF=V zDhsgE3c|lj_AblsO|GGyqgHBo%j~nMNxvVY89D93>@0rmXbT0 zEi-UTX_ntaiwKcg#QrC>^Pk${Z49l@DyhUJ2C?*p0M1m!ZB-Zww2==5m)tto4KX^W zRq_j=rkujOv^tj$KEfRwaf1kb4vY?L6T`(S87=^fzixo33i0ij#KN@uHe0g9dR>di zV!Z{5`zLxr-$$7MT2c(VBuVkL`hVA$opT=c{ ze6yuG6TR#lfm9}9r8!JQnjf-Z@3^s_Bhy}oIF<_ljZ6K^Z)%~AYc+`M{a7wOCWwFA z*Awq37IC>m{55m^p1M%(+DtBLnS6=9CB0_fpFzz%!R4HTn zpy@PT^Gd3yL{tq@?B%~KV(fP^#Nk&9AVWBGv?cq#&?raTK=Ft zW2g1;N#hdE61!b&HQ&w9YQ8>^oj|)Icp)b3;13!g)L%1H>wFSF?UI4}|-$q&7z?Qia@T zpkh&_dU>pn@wGk~^{>yEZ6kDPF?l}^lEOr_gZ%M;rf`o3kH2-TTVeS;ypGk_hMZ3BbJdz6&(ah zF$gL6|0#|h&Too?E{XxsY&8FWP#k;9|48UBTqA6rX1QljYbI)&G~}NX}j!W`er%2_5)f@%PKeQi+iq4 zzCqGVxw?fxUxCp}&@VyZfDBJC-Pk1NM>c_qSGVrgmuwlx zGN(Fl3H)mbAq3LxH(Uj)8{W?|a32WwSRr6dXSv>^P(r{{fSwfMQ)o{+qR+~7$zz=H z>@4hf4D1v?kJkU4FF;g8mOo1yHd%UxA02KtRTA$p+T@DN_1^F~wz9DU#X9E-ZTdN5 zrQ>keEgvw`D+|6`_lNAFPbAZdOl)`_uDx4lsZ@#C{eLk2`!HV2Z@cgZ^?U?wlP%xR z2dqTS>bj1_pjFI;kQ2K0IxKqeeJKyt5G43PqrP)qq?)@YCqHxmoR}Z+Tk-tSJ)mWM zM6d?^O}2uw?zRWz_5s2o_w*|j&7>L0%R9b92%i@`e&MI%%T}CG;`oV|E+L+R+Val@ zqp-kD-ao06c{s5^f32g09d~~$@!W>f$!raTW~#hpI4l#7pHY%|Zxa#^UiuoL^CTMu zZlYnwqMJ)ANz@Z%>zs?b^sGr*%(d^GqnWxR`i^4N!weyXil8NNtSKqU$K{Y~s9sRz zE~R#Rq{>O4ltUGb1j@UmF-OAKDGC0zd}N*H&p<}I&Kj)XTYo_vn$Z6MJ$j`N!#_Qk!j7`MIju0xToXy^L+Lf5gQIJKRb$Tao6tKrV zVr}N4@)~uOqsMb98+m%We}lYV>&P7EgY6;Lje|-j>~SUKCRPx~!uFDy4ag=T{N%@u zFY>bLVoQF93dBY^d~qvc7=+9ihQPM-W~x~h*o?K+oyred;L~aHrK0{aylI}y+kRXG z@G-iDL@@#<=AUt^@*_p7)ZbOlnXp&&rDCUpg7xZ;9 z4CJ@+s#=-t!6~lP{&i>i5(lo21(lG()2x>khh?u$erBF&2B-Oh?5w=Mcu@8m(1+AzZv$QNU z6_1=Ad+HfgWw#6m&+81@)`l8xvm3lhg#tNx8!;|h3if%>^qD=fnLSu>=lPE;Yf4d)~7JFF~0f8abG z!2OioE>ABlw?T>lRZeL7MZLfI+cg+Qf~Ym??{564Bk!{|WSuGzV6>xN&b!XSxK7nO z=y01(yH(fonc`I3iTzN1x%PT9jl2;WiO3sUD&wzT77(PlhTR@-)c5aAJ9HuVSJ;YF zDvK|!L4_XNZ(9cAIgM$F6prr`*w1y4TiG0*m)6Zc8r-)yIqa_8XKz0~tgwg%%?CfN z0Nzm|8%&93z8POI{hzdp=G_7t z%i=1V*jI+SRc=QmA)$on6Z}QNfm^u`S^t2(WP}J$0#B^ppk+zwE-?QE2dX2(07{Hd z1DXc$(}V_E#EU6}1mf0Er-uZhN6P%&Gw7rO3bd*~C!9|UWCkn{{Lil3v_HUpqB|Oe zz}*p>^A0(>soRxO_vnA{iq{FIuZ9DB%0WN)wz+njPj-OZ4!Qaifi8fz09rj(d#%ku z_>#RRR&*dGkBQT^3?Re1tx*|Wn>AGt2BjZT=!`YW1*&1ur?AlmJv!d2ReaXT@E@~@ zjl%$?eiD9+7xi9@4Zi&&GyLJHIF+O^Vt$YG?$YyR>@#)nTf_GhQ6Jh{!#Kk5e`O@* z|NC7w^L^e@odFV#Dzgj9EQY-0Kn_uabpkQq4z#hPGyeqrI%XpAq!ljz3&UP_#PtkU<-0G53 zj)TW-)*l$v>bN?fV0DyUUN>PA;bg&+izI9o^3WgB!d57QzDna1=E04v3ps4(=@^YO ziH$YUO8vcT7>(+^LF;_Wher4{6XD;Q=wW+B-z+`<^N%L1zBLhSO>1SSkNY1@^sxOM zuR>~^!5JL`W|umn0bz&n7BwECYJzO$Z0Mdi^-Dhsoqic1cW0*8Hx`VH1uyDAFxXwz zBf!>p4-VukjyK}cggq?bCBI(-IRu(wx22qFQ_n&)kg38CKCWlZ=`$WlH1I;OVS)-` zA4)%$*d)jLltcv!np@Y)M1{1~FSZEK61@mwM{qqjPR5brA>8Dw0h(cwB zb$ZPC^C^-rAccS<`RDafmjEe2zzmd%m>0IeA;CV%>U@eW5G!mSa!V{@KX+}-y7lq+ z4+6nqr03bywO8Sp_{SYCaZTZi8uZQ4k=EsG-XL!-KktyloX;G+#YAnF)DgUSiA!~p zl_;H?bFtF!8xe_=+!WDXvleGk{pt_g8v1v_EA2ea1?EU${U61de;?E-qu$jh&#?vc zi_iReUm12-AEGxjFq!>(xf;I{icX%+WtT6ouL#|7LapaP=p}PriAL|wM0PvpQ zesm`3Gg@I+C_8=8=P|kH|BzvB+=925&yJWeT9r|o^;?g35TIT$WWbAY7IzHeu3Vsw zy+}HC-m5mXOY!Ki44CzgSOy5`DsI`2UiA31V!Wv{Jq8N;RUN$$3^M6O1-Yp&!iM^_ z#`AoO3jB|#44@#R=>9(h0vy)zE1NL{Bx2wKDDH@S{2NmUA+HC zGQhu*UHq41lXQ=D5a*^qfsY3RkZ&2%vqx5Rv-#hVrwgwjl!=GiDF?C*eQ_9#tF6h*V z39Qs6MZN3+Hr)SuHsCE&Ijy3~zZ#f*RX1gN8QbJ0uXjTb`J~n^t~$8OyKtTLsBxXu zsFEhV%j-eYU3xi=O``$5Y51Nt;7Pk_cth}S7+Toj{X4xF{*+i-oGjv=c&IAso(NM$ z%_G+;N+~~-$73ntKImgq$12SuPQ9WMD}F&;x_#i!lX#bnwU-+`z1RrW{|jV?n6MED z0PaTH-RDEwolj#3oMizdZ%PLwFHSQ-4ouJizODSU8HHX6w$0=-0m6f^T?+*G*Epv@ z1nOq0FxMr6_wmm$v#({(G2iP$?;*)1s4dRF&vLTQlW*l`D45e-PF6<}@q(tFwco^7 zK>&FTz8=%Wny4{bX-*loRdog--@~7~607A|&0U=Ff+TRoiUu9duS3#tzFmO@+iY=z z6L+O_V7xUbTFYO+KRnmCKUQ%1B{c_d#OZ0W&>=43VQwM@&nLuTr+MK8TdC#jYb`rey|4%^&C|%N6Rs4MZlgt(%a?% zoIM4*7-hr~)9qGE!uBA*lpmaw5E~9^w#SCUwkO4cgYYO&5ov3Ni;sy2+9w?_L@%VW z%4eBZD?=2I7h?>T4hDBN0S5f5sPdsu6~>tNu7ui(ZV3V+Vpo4$$ub||UP8TJ| zg0-umD2@G9v~JyHhx1jXC&RzaqGobyc~3vl)f*Q zQAFeD0j4`3a`w>eohvDF!*lCxzYRGmY;tR9x%UDiN;L*vW`R8Wo)0^!Ge%GGMw*(k z-t5Ej3B&ShOJh&A`Vf55L}nsI{lI$u&BGF7`G~Ecs($#w-zEyb=ju{c>~kD=izaQN z1|0Jm`&!BC-O%=_x{GfI*J>?Yp0LwrW8*6c#gBOw^s0 zd{dZh0rS^CE+m0A9H73B+i$3*@;IG=fkyX_aTv?+SpI};eLud?18)5IdPRd~k3sS| zJUhbkaesShU4QI5LPACnKT`d9Kk$xP8|Cg#(tyF=I7`*!We&20w8x*pSrUPaIV@lV zUP)0hK0-^72u^`)o48!Z9<0HKu!46O3=bMzN{WwV_i__1$biG(1yAjt;ShEOF+7bz zI`S_Bg?OH^S0Ba>_Y1W3*L%K%!k{O}Jd8IqXq6|JN5boc1cV}?Bdm*O2$<~|l>ofd zukXw&6!l@N)-LjY;U3r0qL8J?0ZfP_>bbjbb)gXw8&=B-R}@!O(ZNt?BzW6N;3V+c zL3mX+q6~klfen)gU;xMe*92Ay3QS!{XaqD|Kyc~`7m-UO3#mj_42Gf{-kG=h9i9V0 zS9rLccLZ!H$TpxjA8$5&w~xRxwhW%nBO!d)D61#GD{Q3gy~2)ZDhcL7w?SPS8W^Vm zgJq)>EoxRVz+Dq>_pDvBrJ&{VGFpAbP{IcPp2dN($Pj-sfs10i<5g171eb|##2=|E z3yXHN+csiKPZ3E5`?}4neH#FLtPqrX>v9l3;6!Y%6uV%|KvP^daEhXV$%tENxeGwz zCLx|||7;KhJ0|vp?ctPt>hYGzp2ZMYdUa~d@D=|J$;DpeOk+4{Dwi_+8?K(?D-ytN ztxZQt$5xUBJoVR&`8+kN?^w7xM+JV0{cpl;MGsGrwIRe&50pL{{y~j~lZ4tIamj&LD&Y=i5)q@?t+k=%f3_2iDKBs5Q_pB^Zgr+!BMSW3cw6ID zk|&(!fYUxS=DBV%@V_CZe_~7 z#Z7mDGfUY9+GfdMI5ta8hjY;LEH$g1$1Y`5Xf1VtXP*DP>_F}_w z{6&?7$V?6g$}oe%_|sVsAOz}y47SZ4KOkmg*b&|eQJhUae^X-gFvrsWVLsamuH}0J zQ5qtASpj!szp78k0hsoYC$t9DAiCO@2Nw-~dvU6l765l{ots*2vCVX?bo_Ff{20N> z@Qhw`8RdF9?HwAX!MPgrP}yF`?J~~vJX_a1(#iYxS4?)$)=6_cy&P^ie74WdM|`$_ zuZ-)y*Pk~>@|FC$3H;fuU?5lA+1=bjV_J5Rk?UtnUNe*LrDT4SV@`+itYDE5I^X~F zp4PCR0IiGujBwj-e^6DyBwkMVqI!*{lUN?>XCn5y3Ru849#+oK! z2WmTcZAvtmjE+q?AS*mz(t8&i31RN#wG~|yY>BSA=*uqY-G>ZFc9#&aB9@yW6A+N< z-kISa32H}6G{8Wak8#c)*}V_^+JR@)GdFVTOS;+=*zTfpn`%=qTE2Tt6=$~EzGtt} z|0XQs56Q+Zl1p7>was`~IV_zdSUKMbi}QEF((U&X7GfR@B9_Nh2*(&0j|ftygaLH% zelIcvbdn6&NrwW@u83Go`8gg2CVE+P8z{UG`{$YL!T_*evCQvU0iB5KY}2&x(Wd+P z*x+1_jTteU00ZPQ`GWJJ-O;pPf`Hyu3!oRHpLOx(}?=T%UyB;we_HCWEZ|nGrwPN6u zqT;-8I?T~FHnU0-^iM*LBMfGBnHd$(Naoxz$Hi5J=qaxJGvjMu3W_N;#)x(n!Buw7 z<5orrQ;3BLy0%2Ubc=*bN6=_9(qbx9QBDFO8))LD`N2jg)%ZnGJVP>q&*zFoNKf4% zkB%&U-*}W0(8HRq`RtrM}6T8lr4Q z6#K0FGURa*cUmZ^mHfj<>#vCD?lP_er%lGKPMd<#7k-hoY#V zKlet7da1AputU64C=t4yOwVm6*&)65mQ3JG(mi8NBU>${$U=^?z7uLwkcr434LW7) z^YKU&g*mR+qQ<_?kg6miEUUG>rBO zH9H0>=QJiQCrm)X50rnlDG1y@&U8PojtRSW7{G*!;I;VR#~-$81Q*&7?4VyJ-*XaW zdc$sI)QkM-isl6ftf*gs4XvFwnvE7QL!?S(2_+6O>1TRpPJM=wd(Teg4r8D^Tx&;M zFT#yZ#|!$@%~Y)*atAkDB70!7XSueTd8$?m&WTnFo)n)X@T}JHUUz*QrmHS}`XoJ` zFvIa@xIn5IafekB!s0cb<3k`gdnUf;EIwLYxy^qAO3qGy2|C>2dPm%Tg(?P5^9m=M zlz-36_c@P^aT%S23M=G|0{>XC;b@;0XAfYAWB|-2f9?0uv|kofGbo;#_Dr{=^_fLH z5EciMy(?2L$bwH7bdCtvyZ9**`70~;e$(dJ=E^wwJ6}xIP^r`j#=vfhs=P~s_FU`k zY?_;CmW@?zr27HnaOJZF!mX3Om{GQw95^t2C@qMPPOQB|lq$$O61@)JRUi3ULk;b2 zK8}%=`J)g^?eO}anmRH=yVExWJ4}Df@#ne_I*Z>PJ(1HH*WueZY&uHZPulv=rJtRv zxH|mIirXxub1)g>u1y7CXDm`rT9E%}80M@zPc-o$tqPS&K7JJzb2+;GusmtgQvn%* zXl_w!J{fce{cW1ZS@#g-JQFy5RS8J)-Z4d2JCzK?BHmro~O9^M~#t#oGC%IU6F8gmOqRG^_v2y>Z}vVcI~&w@?_49p0rTOqQ>I69=?xb<5Pp(>iI5nU>a)EifDv zE1*88&?iI;68L8oLYMB3VM09XZ?HtUQB9i@`lHV!BK^ z7Mt!DTfQlSsdC{R+g(K)r8Mt#&jKhf92Yxs9NDr*KRpNzw>}>qzF%L!3evzJXh8q( z_T}IG;(&mGi2fPAAODYL=Ku2||F@2F|9th|i^P9-M*lzh&nZZQL;Q0J$oDhod+hM~ H=hOcOAO(~} literal 30671 zcmV)&K#adoO9KQH000080McwaS2X^>wkZw(08CQ=02crN0Aq4xVRU6xX+&jaX>MtB zX>V>WYIARH?Obhh+cpyZo?n4c@5WL_FSh%hxm-tQw`pdQ#+NwF+}N26L_!j3kYE8& zs?zg+zug5$Q4*Ed31w?K_a%iYbBZbU!QNw{VQhyA1eaW6AsCdGVkVgz^M_0v-^mZ@}7r~T)-a`M-t|C`n6 z7p*QXHRWlngu$hr%gAV}$F4u5sVftB+L58=eRUG(hktjKEl=)3KbC zzhOk$H}X91F!x;V;^WM-Lyecjr@K1WWjWjRd>6O7%Qt(%M|ux9wtM{0fw12R5v1waSqV zOVpmY!!ltU2j!#_<}`CtY1ykl*kzd#+zMvISQvjnjw=N>_TS;=U`Oo2 z^RwK7mkSA_Q_joaepYIl6_Q~hpRA&XMc2)e%%g2WVG|_ri-N=8nUTkjSvP zHdiB@q04^Hg@LU)yfY%qvM9F>w#Wh54k&OcnMT@V+TdkRE0fIVneg+;bOxNt2`3@J zg-BSqb0TNR2<|Hhf=6h;UzmVy%oKMZ(}Y4%3h)JaUYvO|u7H>9KPmkIIhi~I>A8Ut6Rrlq@_RU{$RBal1JeS?cNkz3 zgbX-KNLEHz@H@B?k7IH~Tm@tygFvUj5O}x{Y3uBxr8JKE?BYbn0^niUiB3}yIk@Gl z5PSRN&}Qz~nuEqGF29lHXWIc8y&UL214NkE>o3Hqt9+ z`N8p#eGCFtdeNIn-s2_#K_mzZ@%Q7CKuDKB?me2fhmz!~Q&IXcuu0B}{gkH>xeE3X zg$Of~fYQOZxMA=Gz}cW)I^JWQBEzN3EW+%l3#dHf2JWWcU*hjKg)!mCF^&w;@SKd; z%N+Qn8^6NwpK}z*g#8!L!ysv+@30a5$B48enP*~*gJ z?&IpI_Z@bCzRPADb(a-u56D-Mw6{;TG6N}WJ1qcSMnpIUFJW61y0_*3uPdTbI^uO= zf|$GifD6 zg(6d^-E^VDCr0Pl`p!A}#~=TY79k54oyjY+JgEK+b1t)x0tl6CB!%<_nFYq44d0ae zuk6MxGO?OTmH6!sO)|_R7^5>YrBXlPe05LS_K_n?CMn;OawJd?eUe?C4wJU;9le%CuZI)L47 zYP7puck`R6?L;RD~34oqa7*DLIy#1DCu^x+l4ec^Xj)?Q?=<(vCS;zqKNb>&mZ{ICmpm z^~f&FU206!D2#jiG~N+`Pf0B%;a-zIrH3>;Xr{h0Oo5&&`5x%-R_?F_6r00kO*j$` zwFlLk5z3cmP}szB40SO~%8-3aL%1xZ8_SC{=ADkknlCmIDn2NNdQSJ?4}&BVl4-bT z1y3-wr>eIs<{%eMB`5%R>$0g&e!EypLikGETGfc?0T-8nXaNfmFkqx6N4+VBX3+tl zzB=A1E^vjK@v1-DNZ!K+(O9Z_SX-4Q0by59yKYdBg}MqS?iCZS&3nCF#O42sT=-*2 z!+N&8ng?uLg{suMr#H+WR>a>zMUvCW^wVS(L z&?xtG$Kk?mc%Nb?ZQDUxo(h%G$;<>2kK$y;ddGvpbi}7K3jm_>S#An<6D^TErfVqoe~1DcxcoqB1Vr5p*UQiK{0y1@ML5>FTYXK}El&4j1&JxzUQu=sM9 zZsG;c-IVbxQ!+@b2jYvAL<@q1(g?RZ&++BHpeA^Zt!(ePt=M7^a77rm3N_xcNo6istc$6OU0gK~FM$cDrQaa5~=W?}K&KEmRI{O>tBzP}T6j8OhfyNK`i6$^peq9J;j zJMB3Zjt=hx3^JY3F+(txrFa@XjXT^|d~6lKzT;!3=d@W4IaX-w++Bfvw0DQJTiD)r zEHrmUdlM`q!Ze;@9_`Ip?KUWQuJ;`Y%^l1B^75SBWubj^Pv@@xueARXmG)6{$IWX^ zJnYw8rNZz~Yyz(@ca=H2)%`cYlt+PWVs7e5vi(x+HkvA}V>)XKDPw`sjz6 zO+vHn@BT%z+K!X8m(jL2(0_pNc0C}go7%HRkgz!xcK6W+5QuQ${m`{Lsksu}2KuqS-r@L@G>{ja%S5oJR6#+elZ-HMK@v2KJNNz3ByS#jrAj`U_fA`BvA(v4LK&gu`OW@ zdckERn8Lggtc#igcnH#DiLe&4PH=@!%|kqgznFv6o`UTl=Ll(Kcogs^pF z7#JRUhGF!z1t~QTxqB*6J`B0QedxjE5VkR5YxLDw1rykN&H)vtp#I{$Aj(xx2*BTOFvrFl(w`5N`>JI=2$j{o zZBf)TKH1|`-6#%4E=zOrR`|YD5S!gIkTjm`zo5c)m}U5~tTQrvULjPv4IOr@aInV+ zDTNW#PTs>*E9UM46I1V~vG^Hh_(ih6lIm5_?yak(e9 z721Vx8}vKI*n{=a)z6FQ+-3R7w_29pt?5-h)6}{kV`+clCtCnk?a%mZOIQ4!b7hM= z=({V$^7G}&Yu|UFZ?qIVRKL&CT4AjC(XLV~Kca&qHEV^B0iiUnA6!59A5cpJ1QY-O z00;omY&uu2PF63dXaE4o>;wQ20001OVQFquWo>Y5VRU6KYIARH?Y(Pv<2JH3`h9){ zw`ZSaySHTPYDt}R&UU(U={0?OyPf2`tKG{(iIB|Ql&B#oJD%+R@23hE5+nhN)XlOD zPbRTR0K}!LQ1zgy@Ymlg>)=1b(KVUc2hXj8>nNIs&reU;lar}EvnOOqX3>fL??pgP zM*ft)3r|~(=Aho_)EmuHhs-_y4$EDT>D;p;a`Hc+Kl}SZ4cj02vj|@OPJ+<&XZV@s zNdy1KUQbD6J9dQM{|o+xC-x$`_5&>V)*S_Y=#L|-ZiS2a+z+Dvo{DGK8`=c@#uPsv zVx>>Mw}{|NR>V7Fjs3v-#f^Sl3=g3AH~QJR9oX<`=v4Ay&mY+l>mz#t&!W3I!B)d4 zaAy<#J?yqSdqZZE=o(%&QxuNBd zz`cP_jst&6i@!Oy;tB`6+u!JazwtH6w^wFfvolz6o<0M$!N-mcKavTh0pDWOX@!C; z#FB(o9jJ;RAs~(5z(hyku}4Pu+hHvsl%qrO{_yzt%aTFMW7UsIOI>Bg`iJ{f zDu3fotn-=e-9_#wgw-Pfu@WZw1T5mth=&Url4vp4k74NhUz>Goca=qB%m&{ZEdn>X zTgElzI6#aMsZVsVcmSiMcWfy*ZRB1{+d~^Rho&g7a9{efu{(L~G?UtYkl{7Xq-Z2lNbZmHO6nD^96X-^ zll#F-wm}tsp`e2NHBB+ymqiQYPbi4P|Hx(2Yv(9Pem#s?_~iYZu!Xn1*HB|}9fhZ{ z%n1)`mMpH~7a*@{meh)1%(#hEudo?uOuDgCA*h_6WfM~{BSL}rG$$jZn5Hb$HDjwC zo)!%4u(qsr-5J#nYm1rtuLWU(;i%m3k2QnfwA_q!9rZME#ppxeJBv|FO}w{}{gtG; zA#-Z2+rWMw)()M~A^pW--T%b8&)d*er&V9cePOMX8aDf$Zf(Wb)6)ZUACe$mP{w2D z3&)MH7xDCDiY;IFRF|dNhq-Ty>0O1bPD2}XpHIXNK=&a|Nex6Z8K`eF_mDycWK4Hc_|DHg)w8M7$gokPWF?nQOG9Tri&vg0yy zt0(&NlCh_TPWzG=v$<)W77DFD${4iy{%%6UyB)5~7lI1&oS~Yo9B*XlzmPjx5{#H< z4CUKm1+6l*x5`laP86w%)ZSV~?K!1K)x>h@TSf8N4fUy%pDcZ)C&}iJ^2dcowDMUl zG)jq%v*EDY==NLnk!_Fa9eXgW5A5-<-X0UuJ3Ax8;kXyir@k3^P1L2NbrGca({vu) zod;?b!7}chs+Un*ILx zY(&Q0&RH=_K|BJOug=qkCdBIBimo;QY+ z-=oDE!+zIp^m_IF(C*edqhYr`XpDRHCh7NE_Lwvqqi!*w=PV?3DJ`KFnarCZ^mbW7 z--*q;0-?7n5c(?C=8g$nWqPW}cqyTG$`N{}B%!y83B6N_&^uZ}?`)mWJ7o#Iv!{gK zsX*wR{U`KJIYRF&CG>7NLhqI&^mZ|!cS{j^S4-&KtrL2;ETMPzl+e2s2)(=igx)Pj z=-s7+ekKULSxD%#SbIEfjK^T7I)k%zz0(*q>cdvMTW@z7o$;XAwH;@P*?Lxr(9g7l zeztW&KPyYpYBhg!p(V&>nd!-1yrzP~>)(O2= zme6~9O6a``gx=eKLhqF$^xjfJ@0TO=eo57(Q%vanQiR^u5_*5@gx)Vp=>0t<^nL|G z@9#gM_sbD_e<`64$`SgYB%$|<34KtC&<9#VA8eh_2W1I;u&0DRs6gn0{U`K6IYJ*S zKU!*(JX>m%A@$Bu<%PAg{B)_IKQwA=|J0~a`q-$kr}R#TQ2OAgvHuj011fcN)L2gQ zWzSQaCB^%)1J#lzs!cu3@8G1g{88!No|RTQEPV*4rDcyxm!Fq5OCFfAawTYf$%$#R z+>vQhe`ea;{-J5J^r>lcUyn_jRnASD58&XmS@PsGJ8)Hz`0TV8fMn&mgU;xz+ji=` z=D-G;Z?)^gMyp?MpOJQ_*(PW07Fj~``+9=fta60fd;n*t z&60%(@tT|evg2hDN6-y3z794|G?9i%q( zC#lWtAEh=+pQSeU^)R(r3tG7p^K^qjD9_fvX$vmgOt4nFgylRAEWioG-CG(xA?kkXaR&y^R^Hmi0 z-IBRVZC4TTQZmmwJSx9Oi=FixyF2QTdS@_h0j-}o^}*SATyHr;(g7am+MRwendek? zbtx^GSB(*@Oy=#fWWEz^eFZYlD(gjLzKX8CTQXN^>M9~$O6GZYN9Ffuv9q%ts4Klj z-F8L;p!H#|J{XPL^>M2?X!S-Q&%1+SGS6x0>QY)VFVfLBLgt;aWWEyxeFZYl>gPpd zzKVLjTQXNE=PDvzO6GZIN9FfuF)|wT&&EL9?G6FmyxZ#6?JkhH-5H#bv!>JUpEZif zJm>7FE~O>&B4@{qka@Q(neW8caRoBZ`Z^Yo`6|ASyCrj#tD}mDmy-EeIWnik>@(7` z$4*-iT=Bs!*?v~6|j*coKUP|V9M@QxNXt7bd)$W1Ju8*A&*r5&~_5N_ss5hH^hd8ZK zx6vCFlX=e3QC&()=0%Q<8zJ*vSu)>=pW_N-p7nDqBJ)-J9Cu6RDmO=2D*28z`t=F_|7Sxs`#jh&n2EA&0Q&pYOB#|v-I5cc|dMla+{Ro zS#k9VI&-Le!su2iP4>ZOB~#RsM9ES;hvr2J-_PO+p^xuB`>7y5d-Tel9qq34FzBz^mUx~#o-6x;=C1 ztZMvB{KB8pB6IuB^KBOen}=AA{Ao|&xi$BZ|6JR% zLe92U;D%qrnnh3Q|4pnrkQE?P?df4iZ#VGA&;`%4hdgI`&2n6OGV?>)HK4Brdyd@$ z%9}#>W{x%WL10>!v&)(F?Abf`=<{dKtk+{~-LeC`KLPr|Z(&Fl2PV*>No+08pFp2J zc*KV91Y}GCEXmj5C#W3Eq2Gj;#>D+GC$q~4E)SkP!vuoK^YGcT%L8j-dmgA%Cu*vk z1or$IbuL#SEya(D0cmZJ55VUlRr`e>!8B7E4akV#1rW-Q(yAVr5GE}c9fc!U4;wQx^{i2+W(1!httUMj+E&L}&t##|%^Q?1_CpRw2KlOspcK)Rw zA&}SqTA?3A*6_}{aHoXITG)ae3%|bZ1mNObzy`Cz;Kfc_WjQ@Nq)9J7a&jqHS{S(W z19PyLPC@nq|KcoIFRZEk=TT}xj!*8EZe~1>TGL3IwEkLY@r6@I{AOZgex@t+ChI-kSez5F`f7Es~ zQwnpf{_X+{ENnf%>wa)+yG5$Dq=FXSl*6wm zVK>U)4i}JrE!==Odch`jpMOhi9dQcJqPpS8pO-H!y7QsL+VCoLpin3Z7DV5&#ipiA zIfr;8Zc$rMMd*xG~+^s_?GJSyN!rHXHLZhiGZ4~rkef~t)rBa|* zF3_%I`W3VS>QFGFx)tbv{vwi^z?L%_Y3kmYQ)AS1S={<^!cEbS!F| z0>xEZm(tr5-r*K3=x07fWWK(J`vaId?=OBrQ|ICuW-Kw?uIzvGB=RC&FAZC#5KgDV7S%$(^EE*L0xbZ(EpkYPMO zcje0^<8c;j*0S&`+N+9os~jR-P!h_HK}7xG(u)A~U*l!t0l#*1(x3fkcHy`ou!D$~ zQY~Ooi<;DGnY1}!mcI1ocZjpTq0Q?x3VmbuGOe6?fOs}Es}ecxZc?k6&Fe}MCi1N& zB36{?#W|bxmL3oV*3tRLx5t(^{9&@-H+nBDZj=P%ze9H?*b4k9$EFh5GZtb&alXai zXB3q|&Q?VE`!ho;?${@jiQogZRNp6f7ipm)YGR-V-X|1Z#o~)F{vl^6@YN zRpn18O)VSR>Kk{q_|t;D40Rm20ea;vmS7{mFSbuCJe^?s0ctQq|4)ljKOF~b?~?#^ zVV{-&hUM@#EFsf}LJM&gC=BZG4PnFRip6{O>;rTebVFRRc=OrTmdFXY1%wQgy8tET zRf-HVYMD&O^4=MO=2IWu)$zY6Wg@eEX3k79ls%*Yg@m&;esk% z3&-^>yoO6>6|6l=z*(G0(iRZk;w1|Fzd&JB?Z*40aqypk#OG+r|NhCsyP{VxcH-aa z%nYlK-5`wO0`>VFNR!#$;X~9KqlO_f)+o2qNmqfV7&5gXLzurQo?bB%lQ0{ zgwMrifQjJiu18L+pZ<&jFtaUmLUL~?OVE=fJR$Yu?!eSc=L=w!6DA=dJBV<`a8=Pv zpnBWS(5B!{JiP}oI$KcAVs}eh@8@7lfnMv-cG@XP6Zvy6MB#%-wNQX*Muc?`6(wjq zgj${Wb6AT_hzletKFkj%?!Y_)^$ecGZ=OA)rJu{(f*_7v11S-=D9hz|VQeHNE}o$e z$&na}D%(Ts2#g7LGJ}q~vs8PV?IB2E_zEo_ZyTaNhiFdZ`!ex`q?^HPQb}+^#TmzN zGm^rcA-2Q}A6sk!u=r8*M%oi)Uo}A9EG$@KQfbIl!Xc;;OpmKoS=Q`9V zw|@Kh2F&W{njIz6Qb=y7am6L+_5`Dx+Fx<#foKSE1KtHUYr26|c|=YoCtS+^fB19E z=ZHv?Y+C{Pu}z6I!yl*&v)U(pUSS+hs-4^+j|0Z3jh$CcfZbu$NrbaBCjq6c8Mm~7 z;@~NT8syog8~bOrvlk-^tPJ7^Mc2O5-VulP`|L#CKRNy~aS^w%W`5+3T|N@1=P*1J z)qpW}KS!Tfh)H}Wwl*atan5|JuoM*bT-t>m%)Xz1cpv-#&zl9Iq)0M#P`|C66NLFo z{vDF*0^2@e7kWL*y{ieKp6fTg0bY{&z;yCRK%Js{$m>|<;pFgX4}nrZ3ZdMK>|rfw z!g>c}W#>!M)?g<&cN~k@qidm>Cjw1T33W&ZWUxcEnHu*JxNlmmlcacR4;!H`jss0FP>h=jvBS>g0oHDdK0z@OiH|{_;d9K?n%||Hg?HOp zKRTOeK_!w-AbHF^39-HR!Ni_%#5X&!OMTmLNIojJbdRt{BOf+UHqd0s|1Z9iKLhIQ zL1v~uabo9lC@q-q?&A|kSsu@7iTUKhAZu^O!P>_c>noX58vRK9>BJF&|X*G~Q+6`-pD(ulYJ($5W1%9++ zLs1aibWYw#VxFD=fFQIMbJ}36F(pbP8j%*NVaE&@39tQy=g>xn9@U{k!o(%Dp8|Up zvLjPaD0uf{beR)5JswJRBhk(y+G@<*3b&hs6UG;~y-XQMPET%Xe2G8f$n^&4Lm2m3O15&rw-x7V+Z(MVw4jO@*w#T@p@Y~+#{6rwCZ zr&9REhiJABOeEhKy{n!(`zpr_NZ!A6?_~e33*+I`4MR}<$`fh+ zS@uc#@5}_{9Q)UBlaD!LxwpP9W+tw&q4)w``|y=at1Wu=^ zXez0X%Y5@Jp!NoH z9tW_bSG?)}PQfg?Ae2%OBUzElzmNuU6yq+Io6=v&0irZl2ON9(hn|u|5lw7YKGN}v zqVhXMRAF2bU#hDuB}l0XXYWrmgiY#fJEKsnD+fgVe=HFL2Ts~eaP=4@@x^oqthVFX z(%Jqif~hLiuPWC5CetFPy-h^B=63E?qFncHr`CqT7B{2_K3z2yR~NMU=v0HXMZq#v zU=0;Oz4aGw`9)iOM*W#mbh(o)*NM?t851my%Oh90H!3x-~<-Hx}xxA5dX%tTrgN zFc>zSZKWvqwM@{f3US;_kn4_uTUQBcEf)e`gT=41UDXuukv>1lWoJkf0kt*nF^`Oxw5G>|oRc zdG0*Ov*MDNU`|~y=kg#<OJ`$A zFy(raQEdNJ_1eTy-R`AnR3*kmE`@mTA?S4VaP*+)I?Y z#BcML5iN^qBp3FCZbV8q0ac(*OrXk8LLiEX&wRN)QH@*ae;_vdbB}rEm1#Qm5d)zf zu>VW7V3+s+N;fDSDEi@D;wqPN8hZg&|DU)^T}@%jb3=mYba)l{2o>P-BW|i*+0m7A zT*IdD^RmM8Vgw97ow;N3rwc~;(V-tqu23j|9(0gYIj2K>!8W<8Fn<1#%>58uVD54a z1@H=6$~EK%xw1As&3yJUdWkBVqGeWEkjmAF6}v(xSJCy?(>a9`!5YhdcmWSpb-*&> zRT8h6T;;^KMA5|WZs;;kg76Adx{K~tBLN}it<0gnts)+)R4WqO0SsU9`XMo2K^w*dmY=?pMOxq}k(_Y`s~v zm@mTH7({JUEjQyTS%(`BBUjmCRo1%D z_NroY8C%QPTE^DevaPk;#!}l>Dw`@3ZnoTpDrGw*yZV>SiswqHN^~~R%HnsgY^G94 zO;k40a(H>)Y@yW^BCYMSip^v4hZKG3;pGo`FlS^fb4IqIGct6i{WP*?Gf+XF$Wd8q z|BlLXT~c$-6Fw@-(&^?;%*uR0Hs)q|KM4!%H|7{B%qMi2Iy&UW889-~O6V2@+U@X; zD!BM;A#-j*%76#27?W+P zAVrwIZhz0hS z*5&Q5XVRiE3IjtYMP`=*58r?sP+OjfKkM%c4;6jpUiny!Q2N9kk7;&eu-zv~G4b?@ zKCZ!sCEEo*5zH_Fl(?=}R1ggiaO>@bfe~Ld*f%K?MHDY z+FtuiRH;gB>`YYGx;YayXQJjz^q$T{+Z#C()mi|no``0$27fCVp(_`(I5q)vaYyyRYM#YX zWP`m^oGBJ@MsZrSwT~l(FlRU9mcWfc!{{pyT4M!8iJoR@6L0+yS^uRw?(O)FY<5k_ z)V{;~*)GlRA4dE>0d`F!5Oe<0)5@@J#{SLCA+ABQKFi@daRVV8LU{EV3L?S4uLF3@i5vdPH1Lmqd9nKY8tTRk zC4J?sxel!`?l*=`mjGjtfm81|qh5VD7!2yoW~1HelkTw5C$xc5U%|1{5@>gPM1zq& z<~{G=fWnXb)?0W$@0G@9ztEd*k|$J~W}|a>8uz!@@m{ZY)}TM%c(WpTJ}bZr4ea(yZnXX2sqj}S5w={41XSzDgUQ5@5R(GIl@2t_$)oQjH z16|i!ou;Ja-CWAfV4`^dE|Z(Z5wNn1ub5fs+!Hgw_Nh2MmRG z^Z4u%8>#g1r4o`z7r=iGBp&|Ee|`QOR{rwfi;{7Z+mVHy#V#WZ)eVH#{_QI=#w&H9 zz}WV}5=7L<6!|&ur!g%kq?W@z@H-zzx))*(__PVW;106OhcE708N^5j*(jWXqR#=YjSWjE?)EoTIj*Xh*v`ek1)oGHiH>U3 ztuB{}oM4*GBDMF8JNudhrQuhvpwk4ogV1D9lK@M2V~Hwcb#T$ zL}CRJHDBVb$c)NhT(cDvVY4mLY7jM}k8*p5XH%0k7M z^u-EB(`dJ01pQ8ZFlrA#Fg3gNeizg|*cP4UnbSJ!jJum14a|5zq7vgNDp)Y0KK7sV zU4mBpX5YBKNwA!>^Qz4*N&(L|A*^D*GwC4WW+w@ zH^#`Kk+guG!iQbPzm55y+)4$Z4I(Xm_AMm?T17HI*v|AG@K_MgOTA;k1ag>KhdSFj zCuG=lXHfI|>!wA=@B(Ek?(cOFX_MLW5xte|JBxSyc?ZPS#dx@=|l6i^xNkZk;o5pwxT=Gh+{uRBce03TS?~kprtIqbW$GPsB zrB!a%D=aR3#u~d|-W-CJ@zE6(-)dTrZG`psJ^6eoK3~l6tOieTn6^$gvUAU)#Y6m~ zc+aRQq(n_gL)e>eF@^oz{Wq~Jn)#ikL4f}r9b3b@gdt+0Wl92+=Qc&;MqKH5k9Vwc z;{5T>N?ViV&Fu}F({8vxB;Ssqz`09C*LDywtqp%mYdcgC$=kztBtSx{rb*>L|0UkM z6AA*Q8LHOBD&4Q*(a86FHfAuUe+;n4T#v{!5}TaqhTh7Llg9jj&7QI)X3}QbNggJx z3vs+&TiIo-+|{v>JOj(D^fD6lFGw$)85u#{pzC+i!X z?EZAJ?0EDe&nRmj<;lW=$#6HX;#E_~HmVRB6>fVf+?EI~T~8u|+BbTLA%^)+}Rh$fP1 zJN{~5N3IjbeJ!sNG6im5l|i$AZ;7*&A;SjZG7#5Bwhc`pZUcE$(>xxrX2FGy0jwSY zV8v7sS>x!WG>(sat=Sq{2`I2fD#yqU9M&i3Oa^<3{ltdugy9y{fvdV^5-TWb$1&MU ztebZe+oC3OsZKodP=v{nOejwZqS*9)Czs1-HOcIMksU3Np5ja&sgKy9bRk5Xe}yNB zN{E4%e;Ma-QKWW}3%;W)85iOlDit`VX{ z53&X`Rg(?JykAI-PgYGDXN?b~W-+w%3Ofl>Yj$*w8EOt4=lS*Z^Xc?C5O|^T_$b(U z_t(7a7bvw&M$Yge?Ms&bBxa}YU1#ecTNyF30kN>m#jt|d*dIBdu@N4VDBu=DilZNd z^{^SmzJP%xQ$x35=eNbGpzD^ovLe@2L~-wrId^D_X)#}Bc)cQ#?ebW+3Z@sHz5nzl z=G?jPfBJJo-4Npl#!XsflfZS-7Eyd^ESyKP2h7PlW)GRW)O5<0Px+{(&ZPV5qx|R^ z#&qp_PMAFAzL$I=;{v|~Gzbd2$p*{aGtp+V-C3r168scdES3CTxot`x z|JC^RSMwVOx+{Gw<(jJgpyZ5Nsp*sxuDa=!noXQ<6^*8Rc`LOmJZlw=#tyZ)M&n3Y zb;U_w-)UCr%QqT#8u+(wFvu4vw9!DG8M_`MLC#a2!e^S1@oN@icRtDbIm449N$woS zuE04Yq8o>~`7;ql{JR^vOyCF@g3E%~2{{{{2Wm4EazzZ88~*gKh3#GVsj%DPIL}n? z$^?WK_yf^g8xJ?2P8B*@5K7nB$oW=YDSS9O;o7GQ<#a#HiyA8`@W*O;VUW`cvxe5F ztnMT!mt2n}?DLw#MU=<=oKmLQ+X)hUO9u($-RX5HEKY){Jv69fT8s z;E<6!<@&tV6}DFFMa%qTl|I&-$mMQM?Rk1?J%99iHuh<;H+J;K$1^NmS1OrWF?e-8 znFM5#(C8--cSk0`es2jF7U3(L z!>%O7Kl1MwL2d-O5#&aYZ(NWYd7e3(M;x0f==e(s>7Kxh1W)g-s6cu^up?Utk&ZXk)kLne zeh(%*T9L)5bh@IEgzw3jefU#V3ZHRoR3;U;p{dE(({8KfPp^#UaBHKU!@p4R^a1Ff zs6!4k4memNO1JJ zDHRb<(lT@E-^hjdgZ-4lYTp+zE|{QW%MVg+F*qyuyfEBI=_j_IGf>WBbaT$0C7pOw zUOF=Ol-u|ueko%xJr7PcD96&J<#}-d??!r#>%GRRy<2e8ST6s%mtJn}r zRJB#pdhfHKP35uPUJyl5bV99EFvJpX{eU={mcD#bo~y-)$#)bvvb_I=!6BMaNZHKy zV;mxeqskye7WDlXfe0AUjQ}-^%5fg$G>tFcHhCHlYU86G?Pi2Lrd}?u{QEr6EN287kp*X~8W!9F@^gvC2czPcs{-);H;6 zdIPQE*0j88S{)P7W`aFcdCTvS@u7Eqkot58k4cdIHWuSkLw`Tw=$N0t@-+1F2Z+zpmd(LJ8RE@^Dp^b-c2I)g8 zMX>AM?+4qU)qy#e-WLU_oYP#csutDaiTt^1CS&^_u$7icC=&LHg;^=wr%a$wr$(CZQJI} z-gj~M-(7cPWOcua>deS|RoTCMn1im!-0>;U&%2C1j7BH{wk6^OK>H!d3pjKg3+~Mt z!>wJAyl=7CafB3x#&k*|@-k+S38<+eR5&Nt3C4(gtFj=U`ZEbxqmk5M;Q)JsGKEjc zS2z{oWkOj3HDKkqeWJ+B9lG3pcgwfmT~iM zW0t;x$jv%f$OAoJrzn7(~TIpRq;)VzVWx1m_e^l0S+)VFR>tDjgOYrmL>8 zLg^`}S#*jB{hY~ZbdsP1)a}2NR=f&{EUy@Ny~zJ!YT-B1e5GV$)uA0&{dk@4vwf-= zAyYoUj7{*hrYKELI%%}Rxi#~M{xMM>f-M!rhZiBZ2^UkDH4nF5UxTzs7kVy# zMJ(N~jc|#+y>bKC;%=Ab{k9c)#T?t*8n^d5!PK)3Y(+eZ)=9Bp^||ejJ&nSW-eh~8 z+mAb~URjBdWfjf*KplIG!lXs4vG6`xRyaXtf2lY8kE1J!!FJ^=Z64*I(>Foms#bAvq^ z(O@G;a;cqRZOUC8+(;C6mjyTK!bj_VAQptG&ip*G6@s%*Wt}k?S>j=ycclR6>x;};9uB@|BXaUmyC1&v?5$CHSPm($D=}6=a(P7at0jqQ zlH%(sj&zgo7A~^b;4e=eXzH2xTZr{0V^>S~5MkE%N8~FUhFEv_J71lE2l4Z;QlkR9 z*;lcD!E3fS(d2gnlUbLd{u!s@>}1j8w_*ZIHws(K$zZuI(0d2<1(}Zb;KD6v=!4YT zyH?abWKp+@4qE;EPPC?@AW04Xt+rJag#gcqtJO5tT7ETdYlGXR>@A;;A5}Ym-L>EE zLk{$*VopNs&*m5qAK!sqz8DTmFdq((f%*ULHL#HSrXRH~mP!2UYueUPs))tvfFtZ^ z_kLbM`3i(&@1YXGs`&W66O0UB?01BNFB)vD)-78oU7_e$ze!prBiGri+$Dc(Y$8<^E=bm2!lGuh} zUJ{?5)SF{EseOvo1510a>~7g1U(0T@K2T3Hu$II8u22gm{Xi?NQ8+6O&(DS|>XFLj zTc&%wJ#?%zt&_`q=K1qLDDVMXVWk>bI4kDx@j+a#1GJl=9&W1pjqnD2>=kM_6^C*V z7C6{ON53UHoYNXs`wd=3r(XeK(2jul-A}ZgpLRM01!hP~*m}RdpLO!|W?pp^b9S$( zrn6so+j024y>G*@KA{q@wj{gi3uHQ82Eh_lFGftmYWx)qy7WvSXPL>Y6yB#W^MYX& zL!{Mta2W@ZtWeR6t2{q0 zWW~tB{E>@t7=zZ0j~{aRwdna0LS0*OlL8$a4f1ul6$9_=I4P0I$;x8d6GbM8anCse z^|ylh0xEwFjlR{BGd5YgSA);KN6!2zg8a{9;soBfN+*(&P8d=fNmm=Ax`ymH5@7xr z?lIdYT8g0@QtiX1jAo=t1D+kZ2B;H8W=uQMFCb*=*0OCBuO_tFM%N*( zq=9%xMRR$zvl!BDRN#$d*rZr4R&6rpC~|!x?sgoc@O@B`SHWZm>6%rES^b`Y29!H+ zX@m(&P4AW&$CG=_Tscr;zAbE9lUE~9+J(LkrLdMaS#Mb+gQ~)-|Fh_G@`vTExo67> z4W6xhO83>+D+!mu=Ka6BA<13Wf!1d_s#L4%Wxu9N>Sg4C%va>A-_by=<3+S5t5B~$ z3X2q~lTZ}u!{qJCI5716F&|a%)lO@YJ+YS%c~?jKBmbDv0JA+UFMqYe2s&Of9_sCb zLe!0ul!+&6%1An;rt zgP+c@*z3)PJRY}d9%z-kws7*#Z7={)O3#+`sT&P2w+Y7sEvpH05->kXK^1elJ6)XV zkJC_habUv^Ph`wE9Uo=6DKQCqX30X9JwkK553wlzgjE!AMI%b8EOb*(i#!ZTl6~uL zML(3CSM6fZva5j?qy*x`01uUFm!YLq5`Diti=9(@RUn8BIg#rIfIC-SJiuOf!!mdp z722(xR3X(bw66{9pobPAj!wN5BrdoRW-TG;_4_NTyW(buUSEz{8c%J1%m75Iyx=F| zKT%XIbC^ZRt&8rN&Lvb~NZbsIqISCq1>b$CC$^4)i= zE_aw_pPD;zq_Ji?OWYUv6qV0kG&*vJ6cc`*{husZ%1F?uIiHCACXC{B=rUfkI%vH&%RV82B zb$}R|f>pCKdAN|=kbXn3s=zkdUSr~AsdgHuFx4Srf%v2A* zeK2in#gP!bhR}h`Xg$%J7Cp73spY6&ugTQubT+V@CXVN>i1lqRz`c!@G)|;stkJPM z+s= z;or!m*&ygFD9JLK%@ zJ~5<2G5*1N?;lorb+LHYG*7tr)v&UZ+Mb1G{dP~@PG0MD_u7}n&M2D%ZL_huoWLd8 z2CEDjT^qoFL1?~$mBqXsAia6&_qkB3;q1i+7U{lh_9SdLgYlfn<3NaaCt#8Z!w{8z zZ+Q4J&RY9iz}6T({ZjEv2M2Pg+KeVxnrjraPrt|d;&>bT_`fJ~%HRJdW&X74DWyl% z!K}cL%HIq|eBgZSE#U?*XkM*+ZqG4untqeMpD@dG8rqzUDk7UTG3Od*@HZD;82*aK zfyupQI?KE=RlM%sIg?sJ0`IiTXWw{uGu2d;4-5{SOZ6r=(}Wl#AfLn$I}FPktT{u{5((oRN7~rs z;E-dEz9^JlP-BY!vc#*E*wW(gs#m*U&0L(OD6!}5mknQFFM~8|6p^jHc-?4^hsYZ$ z*L_kXGca1D^GrGr(fI*VP$etGlfUcjL(l6@Mi#!rtGIF$idwLjYY<=QKSn8`t>Cg2 z_M(fmR)Gb?6w6DEQw5b(<5^Ubp|N)JIhwp<7PUC|!#wKuMn%0ePI_F1tKCo6B8sPe^ydLR}8|$DmX^z0U$9~ zO>sxFpv%Y9%q*3VKZK>pHyIKfLDicLBFW%pJ>g9Jif!K=UUXo+U?P@6iVbhcB4Ga2 zn8-eX7x{N~;2mP*Fu4W9qSlh8(gKk(DG+gZ*MRBagaNs)a4ebFAC?ieGZB|GGL((N zNJ4BTc|rP)&ddn?rJ2!*kdQq}rVCNTJp&U9x>kXixUVoySx87_&NrlNjtF#~80Z3v zPj48r*VyIA{$}7v7BXK2y;Gmi{SPEnE}qn4JU?6*BN+-lSg-}`@)fA=O+m#QaWUYb zm1loluu*f}thliI>|)zUV>@%Vg!=ZY8I9TBdrf+I>r$`A0oJ77EW9eOTzK!UxV;>Z z`lq>F+}+B?m&FUa)2s|;7luBGX6u`VivB<>ZWui*h<+jvP!|EoemvyqvwtFJ>cEA+ z>llMbfuYbPd*~j&=pHFj_&}AtKT>)z$@qtmcU1NvbzeUG+<-2qXAqtnxw?90e7*ks zilBeliR5ox5ox6@V`(;KN~0dMB-dDxS5%=*dgSzpYue^O>RE{letiyo70HT5+k&~S z`h^cE3pUe^(q!B8fj%+N`0VX~VD<8;{i?O$Ubo@9(dlOzDbE_NQwL)by7(OXoH_dQ zfAnyju-?WHT-tNEuc#XS+N2s@MZ|V|cWpCrbJAsdYA9JEzR_|#O_SzPA}y9Oi(EaO zOVKg&mxUSGS=8aI2JGTCB`lpX3zogPyo<`Cbe?kz&JKSH zTi)*;^2&hNXq!#GiSYc!05f%>aJe))OuQ};t+)-J)(K&wG3=RExuNL z(W)te*8<66k?ncGUPT^g-q0phQ@=(9sV<#mm6h0pRo})$2)i-~)h3Rr@CPCjX49bb z3Kw9;zJ&;t^@EU~tkpBY~ zQiq#rsd@>cOT>g0#tysLsXT^kL+B9(W+x#WjmYLwQ9ClW@aDD(=7^ss^vIT~5Y=g2 z$8M(39MPZ4Z!2wiq=_rkkl{$;dDx8A%T?6KU&|8cHo}f#lWd{Xg8-d%C>>Li1zov0x7h zkbVRG9>iAx(Z$d6YtW&&gJl_pYf^CMns*|+^Z=VzX;c35)nD&8!% zC8Kmvqw6_pzGfb%YfXNgrPZ|k;^r?zJ5v*p|J?87{v$;?yf&0-zI=gi4DaSy(!Vv@ zz#Nd2)DmoaqHA-w0;S9<_(wc#BQ3^H1Jh^|A6kE zkd`20&6lYlZ~K4)gV#=_XG{`;I(~gL%FRm?@nw!t18_bz`sI#xL%`h70n+ANw3}q4Ho>}JkjtceIWs9{?SHD2Q8nFiTUyWrco; zY6}w%9u0xWmHqZW5$K(cq$S6=VpFuP2O@otdHq~)p#zblAjm3cJ}>nlMB9UpfYMd; z{aXqo`rd};y7T)(mZAi36*L=KTji*ZVXam#Qe*&ABA=e}#f}CNiWVa`AF4OjWz&AF z1;w&psh8Hoo%w?pdzXBE2sa+AE9zHheYO&QDnXtyJ}Oa6DUCpBnRx;#(l!^&pglZG zf<4bQTG#bp*CFCZ?7cE8R{Uy86WscN;J1W6o4(ZCIw0}+M3a0%I%c@au=7@|2D=)w z_g$_vML33Pb$;~##+n~TePiqvw; z;()0z2i9rFyQCo{$uDHX3~s@$8^ZN{U!@eHUbj();2PE|Ht*-X!Q2s2dx*oEDsm+Z zNn8Kx?Kw%DG9;>D@c)T;ckd*8!guNi#>5VN-9*<%CD>iYpW>E5K-Kij3*%-gQizH1 zqK=?-y2!bKeNa;!oD)V(9_>&`Zf7H|tm0mbyN5~bZxk^$u(G^Nxm;s zxEq0v;5L{~Zero0$@AdqKbCsOFcifl?cDE{M4$#KJx%#j zl!tvHg;=PSm*@vI)@cZcAUn-!x=5_3^@%7A^-IUL|kU z*(0CHJ868UtUdG`$pv%2*fMeb2kfA({Y4&Q5F~?xykHeL=?c*87-5#atD_MGyR4f} zLw`i`&5|}=7}`MLH4**!f>{5~Fog?)L}n;pB0g8ageBf|zJw7=*`z5CHDM<9jzV4x z)(ji;G#B6sYf;cyKa66b z8Cr5&&u6Xw4~?K1Q5u_>M@X!xgNhJqI$47VxfgCWgOy>&&#vHzYa*jJ27UHRCKr%i z^+1;-L#w=Zi42q5dj2N<mB&W=0q4HNg+W*ahVs0hl2qt!-{gf{kqGnAct65a z1Vr^1#8EV{d*#)bhgcxm=u^jwx7yPCxq;g?ZJHonoC5@k@%Br}kP!()8? zwLkKsu&aX&!IMvVG0Wn%oE{^`~G{BR=8B9=e1ar$Z~XaDTZJ6K6X#S zcQCuC%vz#n$D1UK+VSHAiV~5t1vK>HeB{Kwm%(qEI>x|ESUXXyJxoLtMcl%?hii=o zwG)(g_kr&R#e7e9*>URXH6mBh+xwk{!(~b_6}BI z!p|h8QaUHOU@%<-4l%J$Gtqao{v^uN8SYntLPB~sTE>3khdhNgH_rerAb)k6Xp%wl z!dx8^JK`+TYuYmjj$WNOnjVC`;b>^F(^XJ%^!o0@o}Q?Kj!&<=HY8oQ47UG@V{Y#C zRlF3K8tBhi1`bVat_J7SyN$Q@3^zY^ngfu6C_+50ay8Lc&Z+UQUw3kASNErU2nR?%B7jk|gRiSiIA`F)r8XljQ!3 zV*-LPru0EgI0;#Z7}SsLf&83KEj?rrC5@82oqFfFS%+#Xy@>jfWoFRb`eExn{WlZbC2O=ik%_i9mdiMK z!)N+;IRTIHBV+*quI3c4{of#7>pvjgKX)ET2>J)aLn{7&_>F%c9?=ou`L1Tj0ypfi z0(XfDe(8=ZkU2Vv!6AxRo0EF&Vwe8o;P?X|82aAt@54;z#YL~j-@u$++0?*K-q>$t zD!d5jBq=E%JC_BC>4ia{#=#4!Tz#eQm%6jAo)Hyxg}G;5J1o&z ze<7%d(?ui43`gP#$|3&$g0$l^e~>nb=Kn<6o^W@ajxrU=-T zBR_sN_)&`gLD2pQWwzd5Le1!<^_TI&=Fh4DxBn3ID~=YsUU6qQcm`^RYL`;>;oph% zFNBvVeZ_@#%U(;;&BbzM1ZAIi@(6_l-Fhb${;fZ`HGy`|cj>zATPGzfy@vPkL%RLR z*FE;{EjJ;iAM+Uzwz+9{OuFb1)J@qNce7the_|E6|CSl=dQ`lyr_N8K-1brvia(SL^_i$9*(<`hz( zI=OGWR&91R1vNY)q;r{C?tilVBOvjCt^U&N1f5oddh1ljrlmeIE|sdwk25{+V@=i} ztE(W8$itorL@!A;<)HuVfrwBxQ|Gd4RzCZiu8$)K_0f|9=oYrD_KTai7j)nJAYam@ zLzJ<7mGlTWbALhG8KF7Rhq#1HQZ8d6)NYnb@!N@4+H^us~~pHFu%PkoP?3p!pm)Ti*WKMZYItu+~I!nA3T+TEH4fpIGu9y}r$ zD)TvGLcVPV5x=$Mm2@&$dUZK^YoYd3FhM%(?Ja#12Qh@bH!esmU~6y(GiI7rJ2Y=H z{ahp$9lKU(eJCkzndswG19~H6;S)yIi8o1E!IN&d@$$u)m8i=5rR+P)LoyRozzQb0 znH^C15*XT0ZF&L7!9?l##;SZ1807Jwi%tT2juf{J5yJDf?RG7nQRyTS&rtuY8Tf0c zgITXaZN#Y-xE`2vW<{osqSWR@?p%=v(6k~ai9ocG$;9H2p9qL;G!2MUoUBEaY-GQl zNQJ2!y1FFc)|i;yYOq?L;dgdYPXP3nL*u z%kwKpc~P#q@G)xZEw91YG4ML&Jc#7w*V!VZHXRsO|Mn}HJ?y=8ISDDYBq@y#Bd-r8 zY9lr@#$HAKCYwJtI6oNZJGPsSj-KywI{844I|=cLXsfeBIPT zLX&Ha*%Y+w$TN+7LIyaoH&AqV%m+AWQAtQzaydg$iiLOCB|S7qt}39hQz@lfDyLkc z+-FOqu=K?^9R^?oOL42~k@R@~DNee=t+OhuqmGl7fGM+HWB-KoJrkWkjF*!Dj95zH z%l%e$gk>S?hUF>=_R)~dr|28TSS^tW%TT8}M3L@&H&-iYRhGClV~1J>`<)tDA8DZotvbSSh4-p0%qpC z8h#vuEoJt{kW#%Zj%du_2CN`v6=s&;<*NWK>EJO|v@R~)fTh2--^mXe&4oxOy@R}E zSFPy*ngX&R&1d(~-7|60g_JXiu$rRkP)ipBb?>Y>jHcG}tEFA6u%&Nn(oGKagx2ms zv$Qzi9LOvE8-k_!V>5qm;Ui2}jF7Mggf0Q_Yp@S&oCKdJKJnacTJz z@~4)Pg>klGMbNHP=HMNt({O6oBdTU& zp!pZ$Um(>GiA3L&mY&fNEPO*}KZ;%Ea8FN_*-D>5~l{*h!#dlFnZyPC0(=r?9%E3{w0v(&9D4AkvR8Y>lwC zXU#Fk8%Ah{>OMKg>&)5~9|fP@?lJ)3V?U3bUU-D?xwlWMhlMVM{lsoykVnPgh$9 z{+oa(`R@sS`Yy*^PP9vzQ?Hmq_$|#& z(DQHUO`ABFfQgt@Y>ZW-5o zZ;{Zx*Mc`1b#5gX`=<~Q+$0Hwt8{eZ%6h+Cf}0nHa}4wYc#L+4rJOYJcvudIc}1CN zdBsouNIX3Qcbc}>tI-Y3<XrZR}%y0b}HqoDewX?~XVUCQw@O93xh0+*!* z)S1fVlSfQgZDe?)$pGez!pcwfMnmSzBEC!OVQ7&$0}bsASHBD^Bs*ZS4fW99SpW~C zvynXN0S^<|ia3DVN-7LC5bvTNE_L~16j_*H*+yJxfJM>UM)(lkV9s<5^OV-+J(NH(4}nPEy8@1(4z~VKSTG{@L2xx zBM0o6na2DW+@Wp74d_PyApX<~=q7p*wg7*Tuz>ye(^^@r>vFob3ig%vp46)Y^QC{2 z{646o-rlccpLUaWBhhrOw3}@CS%!2e*Gp>!++6|N-SO@!w`Y7!3ftL`4fGI)RgmT; zAxO)o@(kCO(%y0XPGgfm)801iQS9Q@{RJQqtt$0s(OGMMW{)HHA@bZBVA|LpQT(om>9|ms9_QIg=_+tjEr+A=OI? zo9L7Uq?q*6Of%e^WTZ#-I=i|SA94rHiQuf7XyZte%eun<2hm8*S zAMW(w8>rU$e@70pbmBsd1$@FXhTB;kI& z=pQoSG*kQZvqo{q9rb9x+QOy;-h4A1WB_;~gG1l3*6-tu{OcKyIE2k;kB`zTJ0r~Lp^b_2uKKO$c^W&eOhL8GNr zbr6#|OLgynN@vhDXCbxu5QA8Z64!}L5E}~DW?Ll)XNN1T3Gu9Udg9h62m&S0mr($< z%|qE22aEM5tiTVohD=oxNj>Fc4>h?)KL@G>#15&U@Vw*YF$FIuBm<@{{CQBgK;t7Ha0@yR`51UWBjxL92HuHw ztRUl|eCf|NV&`J5l#VxJSzy*1Kk18|F$cpBCv={2)v|T3P!D3RGNwq63#x)WL8h#8 zjvr}jEQG>zfpYO%!atGi?ikJ2kR4LrpSNj+gd%sbjgwpg)BJw0VUg#EuXs2eFfloe zV@|(h+!w5+FeNnm&pyQL9aVm)sw~`fET`KYS=S``f*qinfDBNR`Y(beb|H6`0Y4))r)8*x!?)(szI3v(Z0{Lm=V z^I>_-8A>vLMBYiJm%XVS3+P|~(VOs%*1HvG=L&SMUXxciImzHJYWA*$OO1CLw=s7B z!FK&}qfc;gR)jiy3r^N!{lkKwjUl1&^X@m#`YkKNqC+?<ODqhJxi`B)Pwv(!D!4nF>eqW{Yj>3mEox^>Kl-g&liP*96^P2UT^5g z@DQ{Qpo?kp31YiPuRnccH`m^6_@*?;PN8{I;&9~@oCIcTn?LImYN`h3X| z)a*sc%=`4w^VAmrn7OXh-?PqDe8&9?h1$Wfg4P2Tki=n}WKtIkU-x6UxP|NA)spek z^5u#W)Kh143C?9I&)woA5k++F-0v+2OzO@{%Y!uxxL^3Z=kTa;djwIWE~Etc=+IdW zX4dr6a3lk1a{BzI$F^eVSGeed0D~UAxg4KWy}8bzf>wl|QtI~=2_GcOtx`L(Z5Re&;EZfbK6`SL4mwMN1(oWImI89biMs#IP$~~egoIJgdLEER92d}YPo8F; zJiWcB6eui{Q13eQ1@D8-R$ds2Yy~}B`jY44po4ZbfHKFA)Dh_mLIVhV!)mylVd+U6Sc|#EvmbWL%2djet zvFnLMhP?xhW=JeAHJ*&g)e{md>7ta{*~rK)T$Z;uL$*cBhr6~dcQE%*DmJAu6%@nh zQNC+TU@tFV?v#Q}0Y0k+G;Kpa3P>nBQMaALMsAO>U8PM@>k1d#z}hdY$yNg7EAG`} zuGjE>wo?i*TMy>w_og{)fl+#&$vhRrw{SWP8Wc^C5`WTYoEE)oZrp4M21uFFRiWgX zv+Ne^E%b*->@E+^j&>(bF4`1{_1#wP$mOaM|MRrf4(zJ;xZ3_mZ0m~~kH-G?^oD-u z#g<3OYfE0rw5`=MRHJ1BhR*4T)6S;TOw)U$T8-?Un4xp-8>Y~$XFB&b=jT=A=Jsiv zz|BZU%OHQtVO@Jat@ABB_PxV_gy8F5BolT;vm9K;Cbih@&6z{9DKq+|?s4EW5I*!p zd3+aRY%QD?S42jHoZQ5+|v*I<59<{#4X!o*e&n!}ipSu-z=7PP|HHI+lcad4Pzvi|Z?|jCidWJ!C zxZA9#{KC7B=4nZQNW3;%g9d#eYS0vN$Oh5Z-rEY3Qpt0)CX zM4Mr9?pc+2=h=(Q7h1w)RE%L0Qav~8=HL@Yvh}GAezU+JXrkdS$UsVdw#!qO?w%Up z;DkcW5id6o0qJur+LDhv$|+Ij*_{*N>GY7PTrixpw0-o~xVbhiF0Z05S(oNOW+4r9 zE;|_snJWTPn9X{l2~VQL9?sUk#0rtVa}lU;g>^1OV~N|GiegcYuLv!yRU#w@#kPhX zPo1qZHMYsZ)i!*^TK>|Xl>yRjK?O`F3G;`pmtjvuRjHE!(rvUDGo!xJV2(e@+)BH} zX3U)KjkuX8I77lr6`S1u^fnnWiSv<``^uH~iE(Tkl1RCds}}HSCKqcHYZa=3ch(Bz z6sw%Zg{Hg*zFkDPrbKtCK8(IURL>@abzL9xdPbX!)Q`ene}r&-e;FvwvYx1`1EiJOJvYGR*qiDbdE#r5mhR#Wy7Kbj_};Y#6ZG|_ zXk)d@KOc+%l9_>JX>I`Cv-s6uerPfWtHRt2VOO%ph6$@%VV3FRDy30tJ$keD+#O8%t5JnPM+B<)&~hiI-3OUPuf!v7 z6DSA>y3`|tdLb}Y5P3Ti$iHXH6j6BQ&w7B_U!)Zj)!GaJ2-@>JR3Kw`EBFfw^is}T zkU(WB@#-{YKx9BL|If6$Lq6x=@4UePRK)H8_RJx(C+R(6B*mw7n3T=-{@}RMHa_Iu zzheCLFtj$3C$j1W=uLR^lzruVy%G9+bSZQ$ra<%aUfcH{8seJr<(3<{@WPbnTC#Aa zR8`?R#59R(8B2P`s0Y$^6AQm+Se_K**WhNr6O%G_Y#U^!WCqAqBJ@yrjv4noUTmg60ZG}HO@?uUQfcP( z1|&VkN(y-HW+4e+c9T~l@G5S;g`em=dv8|XA}y9Lb=A>qZ@=f=N1^9b=v10iCe90~4Qbyc?H3cBKujc8cad2PA zBU*J2#uf>BBg5OLT!kIju!pn|=nBd}1X=Y}inlw5Yh}&YQTQs97G#mz4UamJ! z2cQCCnTY+oJo=mo9GUknWz7o?hQ74W7(F;ZEiyrh`QE%;$I$nQI#M-pHrk{eVK1NB z?s;>a{Ot+9?*H0T)GBW-VeGwOifc5j1XI^(QLb0it>!n#C9f0}TFJi(nqxKiU#blr zY3f@jH_~?(qVyUbkHZC9F*$O;Pi=ROW%TzJ!4V8;d!v((0fHJ*;oi^0WhrB~?n%g1 zlyarbsnV5_v|w&c0K$#S3eY2w43@*_Nn2DbxhOw>aaML%H!BuvJTIFaZc-I;Y-+d8 z>*H3>S>?7=3lro$tqIk|R;dsqNG_|8qUPcRmEb6ybWfh^HO`9H(>B*UL0LMYCn^ij zM{uh}ic40Y51mzX%<7Rj$f}?VoA3tbO71G@p>KYo2Qv({_R&o}8K8?dA3^n>Tn^JE zfE%F(&u&NS!7TkA(&Y`FwXA6WW_~inv#>evsEcP^-W*H!s7wB-Cw}VmpL#02{Q5Wu z4oV4LfU-7ZkIdEyZuNwYf<8naz5ISy_^(_jcar9gOLTw9z;B5v_LgBi#W|61id}>Tw!fEl-VggF+_Wo1m270Y z>+|v(Tvh@Q2nG26pEma=x6%Lh`u`-+{jV4Kui26Q*A=vXGV=akxsqfhK*9c<0`&6^ L{Hd8;{(bsyh$&$8 diff --git a/Solutions/GitHub/Package/mainTemplate.json b/Solutions/GitHub/Package/mainTemplate.json index e5971e67f46..4d0b03990c3 100644 --- a/Solutions/GitHub/Package/mainTemplate.json +++ b/Solutions/GitHub/Package/mainTemplate.json @@ -264,7 +264,7 @@ "id": "[variables('_uiConfigId1')]", "title": "GitHub (using Webhooks) (using Azure Functions)", "publisher": "Microsoft", - "descriptionMarkdown": "The [GitHub](https://www.github.com) webhook data connector provides the capability to ingest GitHub subscribed events into Microsoft Sentinel using [GitHub webhook events](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads). The connector provides ability to get events into Sentinel which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \n\n **Note:** If you are intended to ingest Github Audit logs, Please refer to GitHub Enterprise Audit Log Connector from \"**Data Connectors**\" gallery.", + "descriptionMarkdown": "The [GitHub](https://www.github.com) webhook data connector provides the capability to ingest GitHub subscribed events into Microsoft Sentinel using [GitHub webhook events](https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads). The connector provides ability to get events into Microsoft Sentinel which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. \n\n **Note:** If you are intended to ingest Github Audit logs, Please refer to GitHub Enterprise Audit Log Connector from \"**Data Connectors**\" gallery.", "graphQueries": [ { "metricName": "Total data received", From a3d71efa010423b89ccb6b462d0ffa2abf23821c Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Thu, 5 Oct 2023 23:36:47 +0530 Subject: [PATCH 4/4] updating wokbook name for ForcepointCloudSecuirtyGateway --- ...on => ForcepointCloudSecuirtyGateway.json} | 0 .../WorkbookMetadata/WorkbooksMetadata.json | 2 +- Workbooks/WorkbooksMetadata.json | 42 +++++++------------ 3 files changed, 15 insertions(+), 29 deletions(-) rename Solutions/Forcepoint CSG/Workbooks/{ForcepointCloudSecuirtyGatewayworkbook.json => ForcepointCloudSecuirtyGateway.json} (100%) diff --git a/Solutions/Forcepoint CSG/Workbooks/ForcepointCloudSecuirtyGatewayworkbook.json b/Solutions/Forcepoint CSG/Workbooks/ForcepointCloudSecuirtyGateway.json similarity index 100% rename from Solutions/Forcepoint CSG/Workbooks/ForcepointCloudSecuirtyGatewayworkbook.json rename to Solutions/Forcepoint CSG/Workbooks/ForcepointCloudSecuirtyGateway.json diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index bf8b4702db4..e7ff532a90e 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -1963,7 +1963,7 @@ ], "version": "1.0.0", "title": "Forcepoint Cloud Security Gateway Workbook", - "templateRelativePath": "ForcepointCloudSecuirtyGatewayworkbook.json", + "templateRelativePath": "ForcepointCloudSecuirtyGateway.json", "subtitle": "", "provider": "Forcepoint" }, diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index c2a5ed8c8fc..5515869846d 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -2298,7 +2298,7 @@ ], "version": "1.0.0", "title": "Forcepoint Cloud Security Gateway Workbook", - "templateRelativePath": "ForcepointCloudSecuirtyGatewayworkbook.json", + "templateRelativePath": "ForcepointCloudSecuirtyGateway.json", "subtitle": "", "provider": "Forcepoint" }, @@ -2880,7 +2880,19 @@ "title": "Microsoft Defender For Office 365", "templateRelativePath": "MicrosoftDefenderForOffice365.json", "subtitle": "", - "provider": "Microsoft Sentinel Community" + "provider": "Microsoft Sentinel Community", + "support": { + "tier": "Community" + }, + "author": { + "name": "Brian Delaney" + }, + "source": { + "kind": "Community" + }, + "categories": { + "domains": [ "Security - Others" ] + } }, { "workbookKey": "ProofPointThreatDashboard", @@ -6648,31 +6660,5 @@ "IT Operations" ] } -}, -{ - "workbookKey": "WizFindingsWorkbook", - "logoFileName": "Wiz_logo.svg", - "description": "A visualized overview of Wiz Findings.\nExplore, analize and learn about your security posture using Wiz Findings Overview", - "dataTypesDependencies": [ - "WizIssues_CL", - "WizVulnerabilities_CL", - "WizAuditLogs_CL" - ], - "dataConnectorsDependencies": [ - "Wiz" - ], - "previewImagesFileNames": [ - "WizFindingsBlack1.png", - "WizFindingsBlack2.png", - "WizFindingsBlack3.png", - "WizFindingsWhite1.png", - "WizFindingsWhite2.png", - "WizFindingsWhite3.png" - ], - "version": "1.0.0", - "title": "Wiz Findings overview", - "templateRelativePath": "WizFindings.json", - "subtitle": "", - "provider": "Wiz" } ]