diff --git a/Solutions/DigitalGuardianDLP/Data/Solution_DigitalGuardianDLP.json b/Solutions/DigitalGuardianDLP/Data/Solution_DigitalGuardianDLP.json index 067514bf989..cc95cbaa589 100644 --- a/Solutions/DigitalGuardianDLP/Data/Solution_DigitalGuardianDLP.json +++ b/Solutions/DigitalGuardianDLP/Data/Solution_DigitalGuardianDLP.json @@ -31,14 +31,14 @@ "Hunting Queries/DigitalGuardianUrlByUser.yaml" ], "Parsers": [ - "Parsers/DigitalGuardianDLPEvent.txt" + "Parsers/DigitalGuardianDLPEvent.yaml" ], "Data Connectors": [ "Data Connectors/Connector_DigitalGuardian_Syslog.json" ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DigitalGuardianDLP", - "Version": "2.0.1", + "Version": "3.0.0", "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/DigitalGuardianDLP/Data/system_generated_metadata.json b/Solutions/DigitalGuardianDLP/Data/system_generated_metadata.json new file mode 100644 index 00000000000..fb66ceb07c8 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Data/system_generated_metadata.json @@ -0,0 +1,33 @@ +{ + "Name": "Digital Guardian Data Loss Prevention", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)", + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DigitalGuardianDLP", + "Version": "3.0.0", + "TemplateSpec": true, + "Is1PConnector": false, + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-digitalguardiandlp", + "providers": [ + "Digital Guardian" + ], + "categories": { + "domains": [ + "Security – Information Protection" + ] + }, + "firstPublishDate": "2021-07-23", + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "Data Connectors": "[\n \"Data Connectors/Connector_DigitalGuardian_Syslog.json\"\n]", + "Parsers": "[\n \"DigitalGuardianDLPEvent.yaml\"\n]", + "Workbooks": "[\n \"Workbooks/DigitalGuardian.json\"\n]", + "Analytic Rules": "[\n \"DigitalGuardianClassifiedDataInsecureTransfer.yaml\",\n \"DigitalGuardianExfiltrationOverDNS.yaml\",\n \"DigitalGuardianExfiltrationToFileShareServices.yaml\",\n \"DigitalGuardianFileSentToExternal.yaml\",\n \"DigitalGuardianFileSentToExternalDomain.yaml\",\n \"DigitalGuardianFilesSentToExternalDomain.yaml\",\n \"DigitalGuardianMultipleIncidentsFromUser.yaml\",\n \"DigitalGuardianPossibleProtocolAbuse.yaml\",\n \"DigitalGuardianUnexpectedProtocol.yaml\",\n \"DigitalGuardianViolationNotBlocked.yaml\"\n]", + "Hunting Queries": "[\n \"DigitalGuardianDomains.yaml\",\n \"DigitalGuardianFilesSentByUsers.yaml\",\n \"DigitalGuardianIncidentsByUser.yaml\",\n \"DigitalGuardianInsecureProtocolSources.yaml\",\n \"DigitalGuardianInspectedFiles.yaml\",\n \"DigitalGuardianNewIncidents.yaml\",\n \"DigitalGuardianRareDestinationPorts.yaml\",\n \"DigitalGuardianRareNetworkProtocols.yaml\",\n \"DigitalGuardianRareUrls.yaml\",\n \"DigitalGuardianUrlByUser.yaml\"\n]" +} diff --git a/Solutions/DigitalGuardianDLP/Package/3.0.0.zip b/Solutions/DigitalGuardianDLP/Package/3.0.0.zip new file mode 100644 index 00000000000..21e39879000 Binary files /dev/null and b/Solutions/DigitalGuardianDLP/Package/3.0.0.zip differ diff --git a/Solutions/DigitalGuardianDLP/Package/createUiDefinition.json b/Solutions/DigitalGuardianDLP/Package/createUiDefinition.json index fd55f70c7b0..1d694d2a7ec 100644 --- a/Solutions/DigitalGuardianDLP/Package/createUiDefinition.json +++ b/Solutions/DigitalGuardianDLP/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) solution provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\r\n \r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/DigitalGuardianDLP/ReleaseNotes.md)\r \n There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -107,6 +107,20 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" } } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "DigitalGuardianDLP", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Sets the time name for analysis" + } + } + ] } ] }, @@ -309,7 +323,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for incident domains. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for incident domains. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -323,7 +337,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for files sent by users. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for files sent by users. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -337,7 +351,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for users' incidents. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for users' incidents. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -351,7 +365,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for insecure file transfer sources. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for insecure file transfer sources. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -365,7 +379,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for inspected files. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for inspected files. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -379,7 +393,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for new incidents. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for new incidents. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -393,7 +407,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for rare destination ports. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for rare destination ports. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -407,7 +421,7 @@ "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches rare network protocols. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches rare network protocols. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -421,7 +435,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for rare Urls. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for rare Urls. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -435,7 +449,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for URLs used. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for URLs used. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] diff --git a/Solutions/DigitalGuardianDLP/Package/mainTemplate.json b/Solutions/DigitalGuardianDLP/Package/mainTemplate.json index 79fe78496d3..3afe782da3e 100644 --- a/Solutions/DigitalGuardianDLP/Package/mainTemplate.json +++ b/Solutions/DigitalGuardianDLP/Package/mainTemplate.json @@ -38,162 +38,170 @@ } }, "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-digitalguardiandlp", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", + "_solutionName": "Digital Guardian Data Loss Prevention", + "_solutionVersion": "3.0.0", + "solutionId": "azuresentinel.azure-sentinel-solution-digitalguardiandlp", + "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", "workbookContentId1": "DigitalGuardianWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "analyticRuleVersion1": "1.0.0", "analyticRulecontentId1": "b52cda18-c1af-40e5-91f3-1fcbf9fa267e", "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", "analyticRuleVersion2": "1.0.0", "analyticRulecontentId2": "39e25deb-49bb-4cdb-89c1-c466d596e2bd", "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", "analyticRuleVersion3": "1.0.0", "analyticRulecontentId3": "f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8", "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", "analyticRuleVersion4": "1.0.0", "analyticRulecontentId4": "edead9b5-243a-466b-ae78-2dae32ab1117", "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", "analyticRuleVersion5": "1.0.0", "analyticRulecontentId5": "a19885c8-1e44-47e3-81df-d1d109f5c92d", "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", "analyticRuleVersion6": "1.0.0", "analyticRulecontentId6": "5f75a873-b524-4ba5-a3b8-2c20db517148", "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", "analyticRuleVersion7": "1.0.0", "analyticRulecontentId7": "e8901dac-2549-4948-b793-5197a5ed697a", "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", "analyticRuleVersion8": "1.0.0", "analyticRulecontentId8": "a374a933-f6c4-4200-8682-70402a9054dd", "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", "analyticRuleVersion9": "1.0.0", "analyticRulecontentId9": "a14f2f95-bbd2-4036-ad59-e3aff132b296", "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", "analyticRuleVersion10": "1.0.0", "analyticRulecontentId10": "07bca129-e7d6-4421-b489-32abade0b6a7", "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", "huntingQueryVersion1": "1.0.0", "huntingQuerycontentId1": "444c91d4-e4b8-4adc-9b05-61fe908441b8", "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", + "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", "huntingQueryVersion2": "1.0.0", "huntingQuerycontentId2": "66dd7ab7-bbc0-48b7-a3b9-4e71e610df48", "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", + "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", "huntingQueryVersion3": "1.0.0", "huntingQuerycontentId3": "83d5652c-025c-4cee-9f33-3bc114648859", "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", + "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", "huntingQueryVersion4": "1.0.0", "huntingQuerycontentId4": "196930a4-bd79-4800-b2bb-582a8f1c8dd4", "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", + "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", "huntingQueryVersion5": "1.0.0", "huntingQuerycontentId5": "e459b709-55f7-48b6-8afc-0ae1062d3584", "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", + "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", "huntingQueryVersion6": "1.0.0", "huntingQuerycontentId6": "ae482a2c-b4e7-46fc-aeb7-744f7aad27ea", "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]", + "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]", "huntingQueryVersion7": "1.0.0", "huntingQuerycontentId7": "82cba92e-fe2f-4bba-9b46-647040b24090", "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]", "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]", + "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]", "huntingQueryVersion8": "1.0.0", "huntingQuerycontentId8": "8ab2f0db-baa1-495c-a8dd-718b81d0b8c7", "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]", "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]", + "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]", "huntingQueryVersion9": "1.0.0", "huntingQuerycontentId9": "b9a69da9-1ca0-4e09-a24f-5d88d57e0402", "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]", "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]", - "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9')))]", + "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]", + "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]", "huntingQueryVersion10": "1.0.0", "huntingQuerycontentId10": "310433ca-67aa-406d-bbdf-c167a474b0a0", "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]", "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]", - "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10')))]", - "parserVersion1": "1.0.0", - "parserContentId1": "DigitalGuardianDLPEvent-Parser", - "_parserContentId1": "[variables('parserContentId1')]", + "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]", + "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]", "parserName1": "DigitalGuardianDLP Data Parser", "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", + "parserVersion1": "1.0.0", + "parserContentId1": "DigitalGuardianDLPEvent-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", "uiConfigId1": "DigitalGuardianDLP", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "DigitalGuardianDLP", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0" + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Workbook with template", - "displayName": "Digital Guardian Data Loss Prevention workbook template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianWorkbook Workbook with template version 2.0.1", + "description": "DigitalGuardianWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -211,7 +219,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **DigitalGuardianDLPEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-DigitalGuardian-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"green\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"45\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| summarize count() by NetworkApplicationProtocol\",\"size\":3,\"title\":\"Network Protocols\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Data Connector Statistics\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr)\",\"size\":3,\"title\":\"IP Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcUserName)\\n| summarize dcount(SrcUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcIpAddr)\\n| summarize dcount(SrcIpAddr)\",\"size\":3,\"title\":\"Hosts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(IncidentId)\\n| summarize dcount(IncidentId)\",\"size\":3,\"title\":\"Total Incidents\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"customWidth\":\"20\",\"name\":\"group - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Source Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"cat\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"35\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcUserName)\\n| summarize count() by SrcUserName\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"35\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(http_url)\\n| extend u = parse_url(http_url)\\n| extend Domain = tostring(u.Host)\\n| summarize count() by Domain\\n| project Domain, EventCount=count_\",\"size\":3,\"title\":\"Top domains\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10}},\"customWidth\":\"30\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(DstUserName)\\n| summarize f = makeset(inspected_document) by DstUserName\\n| project Email = DstUserName, Files = f, FileCount = array_length(f)\",\"size\":0,\"title\":\"Top Recipients\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalMailsReceived\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(inspected_document)\\r\\n| order by TimeGenerated\\r\\n| project File=inspected_document, User=SrcUserName, Policy=MatchedPolicies\",\"size\":0,\"title\":\"Inspected files\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total Bytes (KB)\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TrafficVolume(MB)\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"55\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(IncidentStatus)\\r\\n| extend inc_act = split(IncidentStatus, ',')\\r\\n| where inc_act has 'New'\\r\\n| order by TimeGenerated\\r\\n| project TimeGenerated, User=SrcUserName, File=inspected_document, MatchedPolicies\\r\\n\",\"size\":0,\"title\":\"New Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-DigitalGuardianWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **DigitalGuardianDLPEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-DigitalGuardianDLP-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"green\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"45\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| summarize count() by NetworkApplicationProtocol\",\"size\":3,\"title\":\"Network Protocols\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Data Connector Statistics\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr)\",\"size\":3,\"title\":\"IP Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcUserName)\\n| summarize dcount(SrcUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcIpAddr)\\n| summarize dcount(SrcIpAddr)\",\"size\":3,\"title\":\"Hosts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(IncidentId)\\n| summarize dcount(IncidentId)\",\"size\":3,\"title\":\"Total Incidents\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"customWidth\":\"20\",\"name\":\"group - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Source Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"cat\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"35\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcUserName)\\n| summarize count() by SrcUserName\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"35\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(http_url)\\n| extend u = parse_url(http_url)\\n| extend Domain = tostring(u.Host)\\n| summarize count() by Domain\\n| project Domain, EventCount=count_\",\"size\":3,\"title\":\"Top domains\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10}},\"customWidth\":\"30\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(DstUserName)\\n| summarize f = makeset(inspected_document) by DstUserName\\n| project Email = DstUserName, Files = f, FileCount = array_length(f)\",\"size\":0,\"title\":\"Top Recipients\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalMailsReceived\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(inspected_document)\\r\\n| order by TimeGenerated\\r\\n| project File=inspected_document, User=SrcUserName, Policy=MatchedPolicies\",\"size\":0,\"title\":\"Inspected files\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total Bytes (KB)\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TrafficVolume(MB)\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"55\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(IncidentStatus)\\r\\n| extend inc_act = split(IncidentStatus, ',')\\r\\n| where inc_act has 'New'\\r\\n| order by TimeGenerated\\r\\n| project TimeGenerated, User=SrcUserName, File=inspected_document, MatchedPolicies\\r\\n\",\"size\":0,\"title\":\"New Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-DigitalGuardianWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -241,41 +249,47 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "DigitalGuardianDLPEvent", + "kind": "DataType" + }, + { + "contentId": "DigitalGuardianDLP", + "kind": "DataConnector" + } + ] } } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 1 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianClassifiedDataInsecureTransfer_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianClassifiedDataInsecureTransfer_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion1')]", @@ -284,7 +298,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId1')]", + "name": "[variables('analyticRulecontentId1')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -312,24 +326,27 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -362,37 +379,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Sensitive data transfer over insecure channel", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 2 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianExfiltrationOverDNS_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianExfiltrationOverDNS_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion2')]", @@ -401,7 +411,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId2')]", + "name": "[variables('analyticRulecontentId2')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -429,15 +439,18 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -470,37 +483,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Exfiltration using DNS protocol", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 3 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianExfiltrationToFileShareServices_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianExfiltrationToFileShareServices_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion3')]", @@ -509,7 +515,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId3')]", + "name": "[variables('analyticRulecontentId3')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -537,15 +543,18 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -578,37 +587,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId3')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Exfiltration to online fileshare", + "contentProductId": "[variables('_analyticRulecontentProductId3')]", + "id": "[variables('_analyticRulecontentProductId3')]", + "version": "[variables('analyticRuleVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 4 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianFileSentToExternal_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianFileSentToExternal_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion4')]", @@ -617,7 +619,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId4')]", + "name": "[variables('analyticRulecontentId4')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -645,15 +647,18 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -686,37 +691,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId4')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Exfiltration to private email", + "contentProductId": "[variables('_analyticRulecontentProductId4')]", + "id": "[variables('_analyticRulecontentProductId4')]", + "version": "[variables('analyticRuleVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 5 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianFileSentToExternalDomain_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianFileSentToExternalDomain_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion5')]", @@ -725,7 +723,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId5')]", + "name": "[variables('analyticRulecontentId5')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -753,15 +751,18 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -794,37 +795,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId5')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Exfiltration to external domain", + "contentProductId": "[variables('_analyticRulecontentProductId5')]", + "id": "[variables('_analyticRulecontentProductId5')]", + "version": "[variables('analyticRuleVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 6 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianFilesSentToExternalDomain_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianFilesSentToExternalDomain_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion6')]", @@ -833,7 +827,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId6')]", + "name": "[variables('analyticRulecontentId6')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -861,15 +855,18 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -902,37 +899,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId6')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Bulk exfiltration to external domain", + "contentProductId": "[variables('_analyticRulecontentProductId6')]", + "id": "[variables('_analyticRulecontentProductId6')]", + "version": "[variables('analyticRuleVersion6')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName7')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 7 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianMultipleIncidentsFromUser_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianMultipleIncidentsFromUser_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion7')]", @@ -941,7 +931,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId7')]", + "name": "[variables('analyticRulecontentId7')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -969,15 +959,18 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1010,37 +1003,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId7')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Multiple incidents from user", + "contentProductId": "[variables('_analyticRulecontentProductId7')]", + "id": "[variables('_analyticRulecontentProductId7')]", + "version": "[variables('analyticRuleVersion7')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName8')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 8 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianPossibleProtocolAbuse_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianPossibleProtocolAbuse_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion8')]", @@ -1049,7 +1035,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId8')]", + "name": "[variables('analyticRulecontentId8')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1077,15 +1063,18 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1118,37 +1107,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId8')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Possible SMTP protocol abuse", + "contentProductId": "[variables('_analyticRulecontentProductId8')]", + "id": "[variables('_analyticRulecontentProductId8')]", + "version": "[variables('analyticRuleVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 9 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianUnexpectedProtocol_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianUnexpectedProtocol_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion9')]", @@ -1157,7 +1139,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId9')]", + "name": "[variables('analyticRulecontentId9')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1185,15 +1167,18 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1226,37 +1211,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId9')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Unexpected protocol", + "contentProductId": "[variables('_analyticRulecontentProductId9')]", + "id": "[variables('_analyticRulecontentProductId9')]", + "version": "[variables('analyticRuleVersion9')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('analyticRuleTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 10 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianViolationNotBlocked_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianViolationNotBlocked_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion10')]", @@ -1265,7 +1243,7 @@ "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId10')]", + "name": "[variables('analyticRulecontentId10')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1293,15 +1271,18 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1334,37 +1315,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId10')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Incident with not blocked action", + "contentProductId": "[variables('_analyticRulecontentProductId10')]", + "id": "[variables('_analyticRulecontentProductId10')]", + "version": "[variables('analyticRuleVersion10')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 1 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianDomains_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianDomains_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion1')]", @@ -1373,7 +1347,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_1", "location": "[parameters('workspace-location')]", "properties": { @@ -1426,37 +1400,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId1')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Incident domains", + "contentProductId": "[variables('_huntingQuerycontentProductId1')]", + "id": "[variables('_huntingQuerycontentProductId1')]", + "version": "[variables('huntingQueryVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 2 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianFilesSentByUsers_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianFilesSentByUsers_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion2')]", @@ -1465,7 +1432,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_2", "location": "[parameters('workspace-location')]", "properties": { @@ -1518,37 +1485,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId2')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Files sent by users", + "contentProductId": "[variables('_huntingQuerycontentProductId2')]", + "id": "[variables('_huntingQuerycontentProductId2')]", + "version": "[variables('huntingQueryVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 3 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianIncidentsByUser_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianIncidentsByUser_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion3')]", @@ -1557,14 +1517,14 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_3", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "Digital Guardian - Users' incidents", "category": "Hunting Queries", - "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(IncidentStatus)\n| where inc_act has 'New'\n| summarize makeset(IncidentsUrl) by SrcUserName\n| extend AccountCustomEntity = SrcUserName\n", + "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(IncidentStatus)\n| where IncidentStatus has 'New'\n| summarize makeset(IncidentsUrl) by SrcUserName\n| extend AccountCustomEntity = SrcUserName\n", "version": 2, "tags": [ { @@ -1610,37 +1570,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId3')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Users' incidents", + "contentProductId": "[variables('_huntingQuerycontentProductId3')]", + "id": "[variables('_huntingQuerycontentProductId3')]", + "version": "[variables('huntingQueryVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 4 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianInsecureProtocolSources_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianInsecureProtocolSources_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion4')]", @@ -1649,7 +1602,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_4", "location": "[parameters('workspace-location')]", "properties": { @@ -1702,37 +1655,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId4')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Insecure file transfer sources", + "contentProductId": "[variables('_huntingQuerycontentProductId4')]", + "id": "[variables('_huntingQuerycontentProductId4')]", + "version": "[variables('huntingQueryVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 5 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianInspectedFiles_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianInspectedFiles_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion5')]", @@ -1741,7 +1687,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_5", "location": "[parameters('workspace-location')]", "properties": { @@ -1794,37 +1740,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId5')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Inspected files", + "contentProductId": "[variables('_huntingQuerycontentProductId5')]", + "id": "[variables('_huntingQuerycontentProductId5')]", + "version": "[variables('huntingQueryVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 6 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianNewIncidents_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianNewIncidents_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion6')]", @@ -1833,7 +1772,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_6", "location": "[parameters('workspace-location')]", "properties": { @@ -1886,37 +1825,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId6')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - New incidents", + "contentProductId": "[variables('_huntingQuerycontentProductId6')]", + "id": "[variables('_huntingQuerycontentProductId6')]", + "version": "[variables('huntingQueryVersion6')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName7')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 7 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianRareDestinationPorts_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianRareDestinationPorts_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion7')]", @@ -1925,7 +1857,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_7", "location": "[parameters('workspace-location')]", "properties": { @@ -1978,37 +1910,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId7')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Rare destination ports", + "contentProductId": "[variables('_huntingQuerycontentProductId7')]", + "id": "[variables('_huntingQuerycontentProductId7')]", + "version": "[variables('huntingQueryVersion7')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName8')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 8 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianRareNetworkProtocols_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianRareNetworkProtocols_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion8')]", @@ -2017,7 +1942,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_8", "location": "[parameters('workspace-location')]", "properties": { @@ -2070,37 +1995,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId8')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Rare network protocols", + "contentProductId": "[variables('_huntingQuerycontentProductId8')]", + "id": "[variables('_huntingQuerycontentProductId8')]", + "version": "[variables('huntingQueryVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 9 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName9'),'/',variables('huntingQueryVersion9'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianRareUrls_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianRareUrls_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion9')]", @@ -2109,7 +2027,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_9", "location": "[parameters('workspace-location')]", "properties": { @@ -2162,37 +2080,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId9')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Rare Urls", + "contentProductId": "[variables('_huntingQuerycontentProductId9')]", + "id": "[variables('_huntingQuerycontentProductId9')]", + "version": "[variables('huntingQueryVersion9')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('huntingQueryTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 10 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName10'),'/',variables('huntingQueryVersion10'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianUrlByUser_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianUrlByUser_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion10')]", @@ -2201,7 +2112,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_10", "location": "[parameters('workspace-location')]", "properties": { @@ -2254,37 +2165,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId10')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Urls used", + "contentProductId": "[variables('_huntingQuerycontentProductId10')]", + "id": "[variables('_huntingQuerycontentProductId10')]", + "version": "[variables('huntingQueryVersion10')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('parserTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, - "properties": { - "description": "DigitalGuardianDLPEvent Data Parser with template", - "displayName": "DigitalGuardianDLPEvent Data Parser template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianDLPEvent Data Parser with template version 2.0.1", + "description": "DigitalGuardianDLPEvent Data Parser with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -2293,20 +2197,21 @@ "resources": [ { "name": "[variables('_parserName1')]", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "DigitalGuardianDLP Data Parser", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "DigitalGuardianDLPEvent", - "query": "\nSyslog\r\n| where SyslogMessage contains 'managed_device_id' and SyslogMessage contains 'number_of_incidents'\r\n| mv-apply ExtractedFields = extract_all(@'\\s(?P[a-zA-Z0-9-_]+)=\\\"?(?P[a-zA-Z0-9-_:/@.,#{}>< ]+)\\\"?', dynamic([\"key\",\"value\"]), SyslogMessage) on (\r\n project packed = pack(tostring(ExtractedFields[0]), tostring(ExtractedFields[1]))\r\n | summarize bag = make_bag(packed)\r\n)\r\n| evaluate bag_unpack(bag)\r\n| extend EventEndTime=todatetime(timestamp)\r\n| project-away timestamp\r\n| project-rename DvcAvtion=action_taken\r\n , DstUserName=destination\r\n , DstIpAddr=destination_ip\r\n , DstPortNumber=destination_port\r\n , IncidentId=incident_id\r\n , IncidentStatus=incident_status\r\n , IncidentsUrl=incidents_url\r\n , MatchedPolicies=matched_policies_by_severity\r\n , EventCount=number_of_incidents\r\n , NetworkApplicationProtocol=protocol\r\n , SrcUserName=source\r\n , SrcIpAddr=source_ip\r\n , SrcPortNumber=source_port\r\n", - "version": 1, + "query": "Syslog\n| where SyslogMessage contains 'managed_device_id' and SyslogMessage contains 'number_of_incidents'\n| mv-apply ExtractedFields = extract_all(@'\\s(?P[a-zA-Z0-9-_]+)=\\\"?(?P[a-zA-Z0-9-_:/@.,#{}>< ]+)\\\"?', dynamic([\"key\",\"value\"]), SyslogMessage) on (\n project packed = pack(tostring(ExtractedFields[0]), tostring(ExtractedFields[1]))\n | summarize bag = make_bag(packed)\n)\n| evaluate bag_unpack(bag)\n| extend EventEndTime=todatetime(timestamp)\n| project-away timestamp\n| project-rename DvcAvtion=action_taken\n , DstUserName=destination\n , DstIpAddr=destination_ip\n , DstPortNumber=destination_port\n , IncidentId=incident_id\n , IncidentStatus=incident_status\n , IncidentsUrl=incidents_url\n , MatchedPolicies=matched_policies_by_severity\n , EventCount=number_of_incidents\n , NetworkApplicationProtocol=protocol\n , SrcUserName=source\n , SrcIpAddr=source_ip\n , SrcPortNumber=source_port\n", + "functionParameters": "", + "version": 2, "tags": [ { "name": "description", - "value": "DigitalGuardianDLP Data Parser" + "value": "" } ] } @@ -2316,7 +2221,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", "dependsOn": [ - "[variables('_parserName1')]" + "[variables('_parserId1')]" ], "properties": { "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", @@ -2341,21 +2246,39 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_parserContentId1')]", + "contentKind": "Parser", + "displayName": "DigitalGuardianDLP Data Parser", + "contentProductId": "[variables('_parsercontentProductId1')]", + "id": "[variables('_parsercontentProductId1')]", + "version": "[variables('parserVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2021-06-01", + "apiVersion": "2022-10-01", "name": "[variables('_parserName1')]", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "DigitalGuardianDLP Data Parser", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "DigitalGuardianDLPEvent", - "query": "\nSyslog\r\n| where SyslogMessage contains 'managed_device_id' and SyslogMessage contains 'number_of_incidents'\r\n| mv-apply ExtractedFields = extract_all(@'\\s(?P[a-zA-Z0-9-_]+)=\\\"?(?P[a-zA-Z0-9-_:/@.,#{}>< ]+)\\\"?', dynamic([\"key\",\"value\"]), SyslogMessage) on (\r\n project packed = pack(tostring(ExtractedFields[0]), tostring(ExtractedFields[1]))\r\n | summarize bag = make_bag(packed)\r\n)\r\n| evaluate bag_unpack(bag)\r\n| extend EventEndTime=todatetime(timestamp)\r\n| project-away timestamp\r\n| project-rename DvcAvtion=action_taken\r\n , DstUserName=destination\r\n , DstIpAddr=destination_ip\r\n , DstPortNumber=destination_port\r\n , IncidentId=incident_id\r\n , IncidentStatus=incident_status\r\n , IncidentsUrl=incidents_url\r\n , MatchedPolicies=matched_policies_by_severity\r\n , EventCount=number_of_incidents\r\n , NetworkApplicationProtocol=protocol\r\n , SrcUserName=source\r\n , SrcIpAddr=source_ip\r\n , SrcPortNumber=source_port\r\n", - "version": 1 + "query": "Syslog\n| where SyslogMessage contains 'managed_device_id' and SyslogMessage contains 'number_of_incidents'\n| mv-apply ExtractedFields = extract_all(@'\\s(?P[a-zA-Z0-9-_]+)=\\\"?(?P[a-zA-Z0-9-_:/@.,#{}>< ]+)\\\"?', dynamic([\"key\",\"value\"]), SyslogMessage) on (\n project packed = pack(tostring(ExtractedFields[0]), tostring(ExtractedFields[1]))\n | summarize bag = make_bag(packed)\n)\n| evaluate bag_unpack(bag)\n| extend EventEndTime=todatetime(timestamp)\n| project-away timestamp\n| project-rename DvcAvtion=action_taken\n , DstUserName=destination\n , DstIpAddr=destination_ip\n , DstPortNumber=destination_port\n , IncidentId=incident_id\n , IncidentStatus=incident_status\n , IncidentsUrl=incidents_url\n , MatchedPolicies=matched_policies_by_severity\n , EventCount=number_of_incidents\n , NetworkApplicationProtocol=protocol\n , SrcUserName=source\n , SrcIpAddr=source_ip\n , SrcPortNumber=source_port\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] } }, { @@ -2389,33 +2312,15 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention data connector with template", - "displayName": "Digital Guardian Data Loss Prevention template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Digital Guardian Data Loss Prevention data connector with template version 2.0.1", + "description": "Digital Guardian Data Loss Prevention data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -2582,7 +2487,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -2607,12 +2512,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Digital Guardian Data Loss Prevention", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -2799,13 +2715,20 @@ } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.1", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "Digital Guardian Data Loss Prevention", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Digital Guardian Data Loss Prevention (DLP) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Agent-based log collection (Syslog)
    2. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -2949,7 +2872,7 @@ ], "categories": { "domains": [ - "Security – Information Protection" + "Security - Information Protection" ] } }, diff --git a/Solutions/DigitalGuardianDLP/ReleaseNotes.md b/Solutions/DigitalGuardianDLP/ReleaseNotes.md new file mode 100644 index 00000000000..08b548cf89d --- /dev/null +++ b/Solutions/DigitalGuardianDLP/ReleaseNotes.md @@ -0,0 +1,5 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 09-10-2023 | **Hunting Query** issue Fixed | + + diff --git a/Solutions/DigitalGuardianDLP/SolutionMetadata.json b/Solutions/DigitalGuardianDLP/SolutionMetadata.json index 5437bd59965..ad8f69f8440 100644 --- a/Solutions/DigitalGuardianDLP/SolutionMetadata.json +++ b/Solutions/DigitalGuardianDLP/SolutionMetadata.json @@ -4,7 +4,7 @@ "firstPublishDate": "2021-07-23", "providers": ["Digital Guardian"], "categories": { - "domains" : ["Security – Information Protection"] + "domains" : ["Security - Information Protection"] }, "support": { "name": "Microsoft Corporation", diff --git a/Solutions/DigitalGuardianDLP/Workbooks/DigitalGuardian.json b/Solutions/DigitalGuardianDLP/Workbooks/DigitalGuardian.json index 722e15ba04e..fd9acfba1a5 100644 --- a/Solutions/DigitalGuardianDLP/Workbooks/DigitalGuardian.json +++ b/Solutions/DigitalGuardianDLP/Workbooks/DigitalGuardian.json @@ -4,7 +4,7 @@ { "type": 1, "content": { - "json": "**NOTE**: This data connector depends on a parser based on Kusto Function **DigitalGuardianDLPEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-DigitalGuardian-parser)" + "json": "**NOTE**: This data connector depends on a parser based on Kusto Function **DigitalGuardianDLPEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-DigitalGuardianDLP-parser)" }, "name": "text - 8" },