From fc5d3b3ccb1c46dc51601aed6d462ad225efabb5 Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Mon, 9 Oct 2023 16:55:12 +0530 Subject: [PATCH 1/5] Repackaging - DigitalGuardianDLP --- .../DigitalGuardianDLP/Data/Solution_DigitalGuardianDLP.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/DigitalGuardianDLP/Data/Solution_DigitalGuardianDLP.json b/Solutions/DigitalGuardianDLP/Data/Solution_DigitalGuardianDLP.json index 067514bf989..cc95cbaa589 100644 --- a/Solutions/DigitalGuardianDLP/Data/Solution_DigitalGuardianDLP.json +++ b/Solutions/DigitalGuardianDLP/Data/Solution_DigitalGuardianDLP.json @@ -31,14 +31,14 @@ "Hunting Queries/DigitalGuardianUrlByUser.yaml" ], "Parsers": [ - "Parsers/DigitalGuardianDLPEvent.txt" + "Parsers/DigitalGuardianDLPEvent.yaml" ], "Data Connectors": [ "Data Connectors/Connector_DigitalGuardian_Syslog.json" ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DigitalGuardianDLP", - "Version": "2.0.1", + "Version": "3.0.0", "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file From f746726baf31cace5ce93dde95e903069cebb554 Mon Sep 17 00:00:00 2001 From: Github Bot Date: Mon, 9 Oct 2023 11:37:33 +0000 Subject: [PATCH 2/5] [skip ci] Github Bot Added package to Pull Request! --- .../Data/system_generated_metadata.json | 33 + .../DigitalGuardianDLP/Package/3.0.0.zip | Bin 0 -> 16038 bytes .../Package/createUiDefinition.json | 40 +- .../Package/mainTemplate.json | 2745 ++++++++--------- 4 files changed, 1394 insertions(+), 1424 deletions(-) create mode 100644 Solutions/DigitalGuardianDLP/Data/system_generated_metadata.json create mode 100644 Solutions/DigitalGuardianDLP/Package/3.0.0.zip diff --git a/Solutions/DigitalGuardianDLP/Data/system_generated_metadata.json b/Solutions/DigitalGuardianDLP/Data/system_generated_metadata.json new file mode 100644 index 00000000000..fb66ceb07c8 --- /dev/null +++ b/Solutions/DigitalGuardianDLP/Data/system_generated_metadata.json @@ -0,0 +1,33 @@ +{ + "Name": "Digital Guardian Data Loss Prevention", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)", + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DigitalGuardianDLP", + "Version": "3.0.0", + "TemplateSpec": true, + "Is1PConnector": false, + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-digitalguardiandlp", + "providers": [ + "Digital Guardian" + ], + "categories": { + "domains": [ + "Security – Information Protection" + ] + }, + "firstPublishDate": "2021-07-23", + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "Data Connectors": "[\n \"Data Connectors/Connector_DigitalGuardian_Syslog.json\"\n]", + "Parsers": "[\n \"DigitalGuardianDLPEvent.yaml\"\n]", + "Workbooks": "[\n \"Workbooks/DigitalGuardian.json\"\n]", + "Analytic Rules": "[\n \"DigitalGuardianClassifiedDataInsecureTransfer.yaml\",\n \"DigitalGuardianExfiltrationOverDNS.yaml\",\n \"DigitalGuardianExfiltrationToFileShareServices.yaml\",\n \"DigitalGuardianFileSentToExternal.yaml\",\n \"DigitalGuardianFileSentToExternalDomain.yaml\",\n \"DigitalGuardianFilesSentToExternalDomain.yaml\",\n \"DigitalGuardianMultipleIncidentsFromUser.yaml\",\n \"DigitalGuardianPossibleProtocolAbuse.yaml\",\n \"DigitalGuardianUnexpectedProtocol.yaml\",\n \"DigitalGuardianViolationNotBlocked.yaml\"\n]", + "Hunting Queries": "[\n \"DigitalGuardianDomains.yaml\",\n \"DigitalGuardianFilesSentByUsers.yaml\",\n \"DigitalGuardianIncidentsByUser.yaml\",\n \"DigitalGuardianInsecureProtocolSources.yaml\",\n \"DigitalGuardianInspectedFiles.yaml\",\n \"DigitalGuardianNewIncidents.yaml\",\n \"DigitalGuardianRareDestinationPorts.yaml\",\n \"DigitalGuardianRareNetworkProtocols.yaml\",\n \"DigitalGuardianRareUrls.yaml\",\n \"DigitalGuardianUrlByUser.yaml\"\n]" +} diff --git a/Solutions/DigitalGuardianDLP/Package/3.0.0.zip b/Solutions/DigitalGuardianDLP/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..6a20da13b3462ee5b9fdb03a8065ed0a04e68c89 GIT binary patch literal 16038 zcmZ|0b95(P5GNXEVrydCn%J1wwr$(CZQHhO8ULGhNrHl*0s#U20;<#ctIClmtjPoe1av6|1cdR^YUp6B?_{iOE^KUKZe#9bZfiql z;b?2Kt!3?q!h!siqnm%Ht$dNBi|nHAQf}DV5M)>mtrbHesZB~LkrU6eVI~?_6wavi z_3kWre`T)|HhO#qUbmFc@qTL4tns_Y25I57^9clfVa9O*Dk}W(etxVOR_OOUC5*aJ z$b)3T+FYXkMyXimVE2BaK-C(WY2&=)aG8FoE&N)L*p?j@+%DO`4d39tu7;@Z`GbAA zpJmFDa6s)Gh;>dBnODYl2zm|Q z4ZYIq99zC%qt6OsNrq>KFtj!AV$MPRUyM&kgi>MZ>tXjAbP>}*N_GJz85YI5EP>@b zg(}#q*?vZryRdL1Gbl_P+==p~nrp)q_9fNDd-!zwU9h^o#?o8U7c2%|IH|Aq)q4Q< z#=1K>oM%s?5N{5c6eIEi2Ntt~3)Z;0aN7#hBF1)1akWgb4LL%+y&GaCNSydaP67GNu73&U=-G$32F|0y16o8{afhW<6m3t10RrD_)KE^5+ zulk1unH5KQFrOCFzGo6+1tKej-7q$_kA&n<;SW^iP)W>zd~(K3^c0(&y*OqnF(uCk zegt(NAU=SDgATFh4OWQh9B?-IAO+hEMkV2e&YVVbcMPWKza5S$I8!wviSh*11_q0O z6^~K`x_n}2F97ib!CzE%AC`s7!AGHQgG(`mJKquQVgS?v zm9jt#RPMj557)#Cq!V~}AhGmZO&-XZ?IO>gm#D|ba(Pq4_U4`s$4O%PuBfI5L^tB4 z#54B`_(h%iPmZP8S$qPixa?|LE65QWx5O>J8T*QRFl$3MW;SeWQ@5vasL-5NArbIYS{hLKBk_ z(ZiVU_yJA&ENzFavE9{RUb#-GE*MRA)Fe{nFXK7LLE{2$mw((NA>)n6z?5QpzQ%rM zt?onkN0TWjT5K^9?D3-K^MzOd&Cw-84^&gjSPC$2!{u(Th6z~o`lBX9g?3XY@;${4 z#e&YUZ*OgdXOd8VeBXcHO5 z&IOWHf%N+G29|8Hroh%IOB>FRtvywFf34 z3Tq#vixLW&UoLImgeSd2(dnaA9rhEXVB=<(sR{iHJjK4Zrxut z*9D66*W_#P(t*-o$ciB|=c?pr*g;i;U@jbLI92(YPyA}Z@1K_m%e%|+K81|OdhU5k9zYBCv~wXOPRkrnm@9FD^u!FqBFDo8F8Br`2^ z3lzW{mR^!^ePQY3#vSv17MqUgCNyQUGHvx%Tf$>n6$-l@7XBUSr?B;WB+Mvd{?%INRm zlj&PVdzg+4jUli_H${Z&xqj{`4bGEMGm2iWauN(k{{Iq1P^AWNK`mf~(&!de%m=)G zyR$(#y9>rY8Mts{nv@E56`gX=(3r_wPr{&R|<{;+E?(st;BBSbVl4-4!5Qvmo zJNk1T=FxIMOJZo7@P2tRmZ4kqg94+bvbnKmHL6(P>MfzVKV@dx`eElWj6idYA8QZ z8S&sQZx*c3HSx19&fj3PORb66tCnJ~(xwHqOiJ&g`j)m<%srdx_Wp-$vc#(!VDzw7 zVzZF6dgcRgRAiz0jIpfA=JYWyJ^7KsaUK$UUJAWk(2LGo_8#C1)!h1$e-T0E2hKNF znDkvy5C00oHZ~--N6Sg@uZ z2hQT1(Cz36v=YS+K4Xmyv;kL_El}5)7c;ga(t5+#g$BUZ8-G?oso^^_!9CII%G!=$ z%jigCj=V9eG#^(op$AX9&&i(=>+3nSJgeG1yocd}o-0>X(%)txS|}Y!j;>Y=swD~@ z>aDGdx=jPg&dU1aBT-Iny8qukzUHMb(3gUrPnoB3BnC1h{d(rS0y*pyyu z*m4@mVwW^Ds_S|U8`)aR;gT1ztw^b0-o$B(mjgaMD{h!oKG>$WrS@9O{v%-G5ss|z zH>poi%i%#Jl)q$@2LxOZL(VIK}ljk)Z~LKtWyw z81rWdP&CtT$WU}DckGT{v%2`j=TMo6Zw&19idGdq@#OIE#EI4J;nbPHh0xFJMkv({ zr`}s)-QTaBr2r);G6NGPbs}`Z2cur-6OxeeSTu z)^hdD4KDhw^!E;_xJMUfk}Kv?N~s>#TJmp2%+W&LUnlm_3zJYI$rU3{i{3%^!Fv)@ zV1l(SpsojLTBx07W($Y?FMWM)7??fXUBag4UN1)}GPi4v4Q$B%DPJFlfm|Hf8`Rjb zAgMsZkJ@&z7-?7Jo_pEf%^tgD%~2YkLqyD@-GvURMof-&{4w9Bor~XVTm`S0S1f+2 zy(qJ-+my5=K3av}qq?%6zJzTJH{vWSa#~%F%D7R57 zA;$d^X>$kO8Gr%jW8kEqfI22KfCnI&rvdch!#jp&a%7SHdghtnlwBnl>xn@Ll&Y;P z=rH5Y-s6$%p1K`7aT6Hd&BZANO(t7^P7m>-JVQw8BcNO)#O(^K*U)rE!TT=kdWI+Q zW83khF>ugOe&|F^=5*$l- zcYG8kp4L!&gcmRpBMC1PkbV$||3NUDloBc)*HDq~B|fd6LmmCjH9npXotaZt^%)!G zymCpkZ&K-M_Y7{ns^Y~Kc+2S^04X+aIH<$#)Ic^|2y%(M->bxCu+O=72`=NB zDUdAP4IHI(iv)4H2ne-Vs+lljkA1E2wvVv>m6pKHWPU5n<9?8Ce_{ra50216t&6g- zjxvQA=*FYt3X^HYd%@tHqx1OB|5yV?aee3;n?!O&gA*msY(=;}7uObUyg zSQ!??@x7S~ccYNGQYTJPf=Q=;tx}EkG;H9Wa*A}-b9y!Cz`#LaI8rIBJOYCwu9iTY z>%g!Ka;6H@_V&bwMLWhf8!1-W^&(3kV*byKY{Bd0HGY1ZMVOAC%^$&fExIs{=ZihM z2_kvw4CyNAiWcTz;>+BEnDJAjdOO{zu)p?7vD9)Rn=wza4jC=JN=X}aQik7Vyv^TP zC^aJR6Rh8I^I?d~k7FZou8L-HS)Mhl?8Gd=&2Tpu31y;QUwF-yO*`*m?$y=p>{Fb#au^W>{nXQ_eo)(4V*m*X=%R>RDTbnBJlco-pJ4YR@gHnrb`Q|U?t zALEH>j7r?iIYyB?sY@R^{61V`pzTcux9v37OS0hBvMkxl#`@q!9qtL0gv(u__0t2&wP38EkW zBaSu;n~_=_9zA*rdzouD0I9N)gF0YE!T9e`Ksu4FTqKHa5`h*jTl04b|ATql}H zSb@UCp7}FaOVQfx3+xp=zs^AcgjUFIuRL~1;O=rT5644(+Z1pQM=}4MDxinsE71R5 zo)*k&odC`bM~c*|>9V^V_C^a-s}A`qZwnd5UH?X^2)zW{B3>z`<48EL(o+Z(guN zOQpI{=CvmC+uGs)E*to5uPNp>(foFHyz^QofxESTJ;-q6G1ouUZH{!?ECQ)O^W*Qe z_-BI70Za-_;5Hs@x|Q`hoFss|3&A{05BaZ?z&%WVaFhc*%>3X`ga>2`=DAM(;E31h zRcWm=XW5{wn}4s)VFWy7igxZ?AF$PP-tfKhU#Eb0s6stl{Q#kbdARxkq6rMx{sGd8 zGuIi+f1UgvkZBv3=S*qCHAaC#b_;${uI`Ze>ShbLt=eWy75~!(YVd~~WI%T`Xtydl zpc@z5qZVY&vlHP#ha>M9+JA>0@`1N?UUP7yZkG)Lv{JvxVmijZ+GUqOnj2>&Gg_c< zcO25A7j^DkBJY_U{=r8*@7Wa<@CnU-ea$=fe&n}9zr#?Gyv1nX(0tW5^a!EXY3UrL zQYp_4QLVF^$BSVVzmXRR^Fha*d%#ne;jviO@~T~^acW(-5p$5un*T5&Z~crUi>+jF zPO*G*n-zi?^JOX1#dSnxu0_$_xo*)s<+E*pRRnI;6imAaK(MebRK!p4sa~~MHl%ZQ zX0z{`EPgstuECp1jM)o+uBtF|Uw>{8|6)!$wtd|*W=y00@#~!J|s>b^W&IH{nEz%^<_L%&i*P>$QLZHcb>9WI(A?Lhj()7Uj;{@JeEK=hokrit*P)#@ z*&=34Ko{ih;;E#8hjH%uHvQWM3$zl3vrDxSD{w?lugMc`3wvcc2i&2ZVb&^kqBx0R zb`wtVVq2X{K~m8r9EGq~N#QR#m|Wf%K_%D7xGCmtZ80B}CMcp-zu=xG3Ne=fY)3yoi20_KwG$Jk?fH?#!;3fv;tAl7U{@3yv8)POvNM7 zjGC)p@&dWoRoJmLJY^ke`;Ir>N=OO%M5$Bc^puT$-e6a~WB35N+{%)u()&U_L9K{=z8q zh(JC2*Ts`Ebp|%M>b{t5c2qWY`(SyuGyHJF?+>~d*P81>M@#|=d@v+j2%`vl{#F+T zoh>Vu!BC80`dfVw={g=X!;~_xjhA3sc@BN@5rVRyRfF9ZN2b_+%T~L{*9B7zwGGVD zAMez+)bO9nD#3qvBj~TflXKIHoC{Zyq!%cLp*x7&cjeg5Ny#0Oz9M;yE8eb+B)B&} zE@`L>(s1mTZq7c@b%;sPKn1uQmsgq}j?0~{*ZqYiWP1bK5hfu#L`p&5%z2I3`(H!v zx=io=4c`q9#_v+e!%u^r*WL}Q5Y_!%FO1UOT%I$frBsU zYZM3F+^j2GkmcJB;3q7)&;BNbx1`owST9 zO~+zV4R~BQNZDdYsnBT=A+n$o`#eJb*2`7<7^io{ry>{$R!Jv9)5njmty2Ogcs^Zc z9sm6A;}IXGyQOoc~2=Z{Sb(pjLOO(Jz33%ePw0N^?+YSJk)HPrU8R!I?jVA6g~Z5l zXY({x-y!ropCw0;ll=}bKMJ_@vukL; zvLY&iN1|a*M3JLQL zLMxvP%6u=d=K^c>iy=`DNIjIQmP~!x01_lXV~C|gaDL;ePmPG+-ysKrTdWgOj;(7iZ%Js|d>NiY`fhI(b21HW6PSuhb-Pw3FC{||vb_32;(X4TVTFouM zcyA|5d7p@&aXGp+bvDQQo&Z)ZQDa7fZnVJz2*Tm)9LG1AGPRmS(EZJ<11}eKfSZjpIs)DQ~u4-tCC9 z%b2_f;Mh0bXlf;XNxh-sRpOrlG%H<(?|sY(cJ|0Fy!L_C%BNua*6z zfGV|i7US_3H}|8ue4aeWs#7+@;tV5aW{A2D&^s9($?uJ!`WUt9waP|Eur5rgUuhsh zPLR_A_~T$x>vl_dUKvbN4cL=+S+369gD%~{@OdG0;y{h1&JBZ7DDC;0Wu9O}Pp?28 zuir^K4m0$2rr`*K3ZCIR?F4b4kBD7?d|6Jb194%`@ZR_)^Ran@%pCXg)E4@S`HZ7O z9{~_otHCsKtZrZ#py=ghac9kHJZAY#qk<^&gk8iR#2eXRgrPBLpwcf9w8mA;m`=Y2 zL&rMtlo5&b@5L;2)9{X^I5`56A<`E%*bF#g0AlzB7gF)Poc50Mkf}?MgJFXQ&XUU_ zK>uL8gwRn)tco)nh4B~x{;QJ!w6}@FI5dDk6>JAIYUyF!wWQvQt_FFFldY(7PH|*D z^{>zV6Fg0>G!xUCd~3aCY{YqnIukSco}#ySTJh_P(+_HqdHk)VUz;b)Fu#u52Qdir zu4i)?)${QM-7ARAL_V^vVyj!vn%Qcx)#wsz(>8N){zjweKd$*%WHVxtawp%z(oTrQJ-q)mt)LR9I0T;OUv!*n&ycm z>V6dJ2p+4}hr$d@@;vW9;UZY;gK<2--7+wY_+!XyGIMfVA;NVE-(yX;?ueqO4S*hi zy5lK4ePgYzVN&<@W?Kz6vY;z(hK3@h z`EX~DNA&|%x4>8))`^U>`i3|-+)J23+rZ5zfSr0sHAMZUMg@E$JR{5--kl(k-?+Sw z)g3*&mcAUshR^h*SJ;(~mx#tXq0A}>%00Mfceg8sw@)HGj8a~WXY?+18fv)9;&bEwnGH3Niztav;br62HyBVfV5`(& z{BsfP@vaNdmRrXQqo-VW?A6<*@7@`ONvOR>TY029ckk!aasK>Dsf4^fHIjNoVZ{Ce z)z}oEkn1IXR#T8jm-(kcVLxml@lQsA?-$V_aGB4JLAWEjWLB+s+S<5)QVyhCPEaMz zcW5ZcK7$ufIBbYvzFkU zu;mU%5Yq{Q5pUaL7Q5OZN1*WxMiR_u4PuD4Q%v5?2Y-LNe^et$_Gm^3)wh-(FGAeq zw!;a~3PRh5+qc)rhH3E#MHC6e!i+47O|Kb-_~^;`ix+Ng?cqH;Zf-BA{VSUCeqcl| zJ^WI9%`$0#-3q#{E-5C%iQH+&A)poSPL;Hzg213r0d|@5@DOI8lqyuZJTP0yUuH5( zOvg6s{i*QI1&!lK@Y)54dEw+}7FiWGTM{ERoL$#4%YFXLWfn%byzQ2j7HRo#@R3NK z_R16T_-$k*^zL@kBbWj=wHws0{bX1lt>TX1uvj%LQN>nUsZ;DWe0Tp@yMu2PPq3x@ z+{=CPk*5c{bCf+=3J=|WX8+5q=JJSPBlz9pka*lO8Q3X_g4y}EXg7p*L&&5v%Ib3M zx9E03AnHHl#kTxz(*_<2_ZwT-GW#eA1ZE&nQMz5%RDg){fPUGuE(dpA!2oGtWVTNa zrjGP*5AXM9&I@l}b`8B#=B(H|&i6_)xWydFYD@EMl|b@~6E7Cx^#-oarXotx70b=D zIbk9;D7wK3eD~*Xx3n5AKKt4`N*dvdaaK$PNWKeQ?N`We_pbw(cF$KR>~9a_kKBxT z_8PwL>%qm!%F6EVB6@Wo@q@?vMEsc8uftkfdR>Azqkz2FDlVWVYdo)xjlhqZrd#KGMt5@J3ldxuow8>1v7$N0DMS)Y#%#<pxr{aH{Qb3#M?@TXwvBMZE5IM%`^W@$9?H1xpKE=|p?_hg~F(L&)CXjXhK)R{msZ z`d|u#uP_*$P3B;l?YY;!xx~2AFHiM|MnoOcm2&>ye$29W0pJldMecjzI?&(jv*G_f z&)ZMNigpiymJ*$>Knfw09XR)U^N&CJANQ^_E}+L38tc8Ji49~(8^ux%K%vS)Ji$>W zj?XT+w>-JfGVL0SFmkY>adnYV753}wv4+F^)vSgD<$2ZIInTL!LN1T++bzU*Al!-! z5}OTarE6>)&a@rp9#hUf=|8&RMri7T^$8yx{0~xj_ zCcLE;@*bD*kE3uNr_~}YoM1CU|2Pa3y&U3Kt-^^TkC0PV^v)j{#@#I#nQMgGR(*P8 zMQv3v-y)n`uzpvbR+iLe^jN%g(7tI%X&yN#iz+IPN<^5KXT{LbMn=~`MeHy8mpFD~dC(YIh5j|VHP6)ueK7GdB8Ym8i(|V5F8QOj!yTaF3 zEd<1hH3m}4ImLRmt+yxl!Bl4(QM1}g{PRR#ebQF+fo%wq#iohPaq{J0(kjZ?mYOp{ z%+V_tJ-~|1)2~h&p?P&V-uM@#TQirKWw4N5ldrAGUV@b?pX4tqJN~DywTit<-qTk* zeE8Ag`gM5+lAVAhHSx_pdR_?oI1Ztf*Pmb*_(MH(l+a`!gS#}%q}*L@xzTjCGM8UU z1nme6ahxb7X1?@BPuHo)R@m%?YKbV_@$`lm$tcA+Co^EC%obx1!-ZjvHKVV|qgrM43_DPx*RY9myJX&0ji=E6yl54$YTrG7 zywxp5DZfm~`W046Jb)LQ!A^9z{b{E>tz z6TD2SFK9WgTYh`Z?ns+)6zxk8Hg}uAe=V8n1Ba3`y2cz)3{O@*TIONlHHsg@tyb0RJ!^3u2oKYl0IuE;5sLPjjHgpLo<<_)yJ}b~ zhDWFv^SL!ICE!LVIV&ORD8*E~@@LE`Wc@4a%mQaxQUeVorOB_`RCS+(T=mbDpU{R~ z#WR`jnhJwSx#ndNr(Sb$nfVP~ahbFUd%rHm_-5S4CfPiz^43fK)8$b7oD>0}RA5li zcU-8qNu+!#oMmGP=8A>_))Kb+A?b=Y`V?;TZ!TkO)<88j#Vvi^h#r%rKOLDc@}&ir zi-^|ApLJNxN$vU+E}2pk4SuP^w`eHxf~OZa-3KS*%_JW zCyqVPt*pV3yT zs-dP*(Lx4&w=i9j#4d4aXpy>G@5~_s4EhLZrK-oL37ju3{-3&%lSInR133H9#f8Xj zyFP6B(rBkKhB4W8z?txY=)<1sapJE^ra^e6X!hT;pzKBiurqv&_H^vI8xOS}7&{%e zu;`0@L?t}^S$sg__2l>CvUs}y(=fvw|KU!UG}b4?u~C*V9roUOsDCK@&B5KBTPZpo z{ASE>ml&;%Y|kc5GhJ2np6`X{>NJdFb7mV@tNE#i*!0?6AVL~ep&k>yE@ zZ}jVp5PlQFxbWUtQFDy*JU?ag>}SYd;VW<;zimRw(Uef}JPk5POp*5kKftqb^m zbC98zqx88+w$>23Uwk6HL8Wk?b>iIdVd?CVKXH4xUdEkLVB*7~q!`nJX2;fLOwpov}7)D!&(gl7oj{erjNp^A4?e>_kY!^4RtOm85MYFYih_f5KG+{XtN{d&IcS4zNZxG4ut{)gV-001h zh?hvCJ?s-9tjJpKQ}nv+*#XbhWU0xF8NG-AbtNRx)yvDPT+^*z8d2nQ->+<=0q zN`!<%>jejI=u-HHg8Uxbc=h(RG_{7{ z8y@9L=voThCx*7>Y`8j);qZ|;|4fl`X)f?F^GxwJF@=quAX0LXHZqK> z=jQNn?pIMSo7=v2P$>D@u+N_@Ke&X!nmiVq$5*{5K6Q<>XmV;2IP%RKvHc;w*Q@uI zd#IO%ZghX{sTT^GGy8l1BfMkI8SuVo|7HGZgxPJeMU7WThjE1oqlOBqvrpkH?`4*z z;mfRoUt(e~iC2=ct%|z%t761)(hqKNrxL;TpEL4vD|OBO*lUf4!Bui^6NMD+_X|br0N$_aiFkg9LF08 z^6;)*lG~wzOx55*&9}G=?oG7Jcl48QPZ#%YEXRvZx|QcM>%Dvr_!ZJtzGBi%TXweT zZbYp(Rc+HpxDPUXl;#TPN$O*6a>9vTXNO8oTHB?cG_%3FV>;Yyl=p9WVeh{DLpt`w z;FryTdRT5x7NVV6M#qoq3r~ZcBTPvyLMeNW5T=nDA?Dg~3qszM_Gbw%4vCb^mmZyg zmTI@_oVUX^#(V|*J+yD8)b`+X;n0;N(Jqqgf1G^ktqSD5WZL6*4modzrrl&;OdVByck>rmXm2F6gC% z3#!?p^?<;3{lo=*>lYUR#TnOC&q$oL-F>2pGTIbW&P>RlT*l4(DI(5H&5*IEb=vCF zXf)MukX4;PoXts{xh*uY(3nrv*hz{?4++<)+Eb!6Ob_KS8?A7uVq)}`Joo(_#Hy_mJ+2KLn{iM~^R z_xp4wfjGNqH1IngJ{eEF-|L>9bzbD{9D*wZJfJpbDtB2t?{U0i^;LeFY}l53nw-+$ zwe3oI2C*F>Sy-(SFRASilQa`mB=RV;Vc+~Jk66GXyhJiE*dT5y#LFKU;TAlyep~k9 zKSfu104`2cRq}`(hg@3X&69rfqg$^JhVekU2EPShD1MY)AXxAM`^x>0h4rEKA>bdm zMM?7*gpXDtt{W;Oo^Tm~M;N*thT}mxM_IAj)0?3JbvY5efz0kP#OrM&a1Fmz`#$z) zR7-9Y6kGbeF{^WfsB>A|wo8b#!CF@eS&ouAy+NWDT&I=HO0Gf3JTS&^vvA0oT|5Yb)k{~#J{F2t)jcH!1~B{62jQ0;(1 z)7Couht|Af=wRR66lu9lM|Zqba0uuLKK7g|D7{#=-~p~x`GNEIJ*-QEdA28C&G>0B zLrWu^n;myw$u92Zz}qdZuBwpQ3Fmdy@$Ixh(c@amP1bsVRGCYVVdP&WmlW^rxBfRn zPHgftxjm~nP43XW6Yp0uDcuZQFOJX6;1>eq=q$Vd+6sy;hYWgdE{#2u<&vblzAsm_ zLs;*TG$$N(>9#eN{-sUgUrSd_38l`>hF1&M&CkwFjZNp)<`mb~zi=&QQX0wA5L?z2 z1x=mOottTCF0Gekoz=~(u9*@1)yI~StGxxawAoz+6P{8%EiF&Y);p^se7AQ=JT{l) zd-jt}^1ROY@uSf}FYtV#O=P*6RI9AQ@#%V?v|VB=xUl6vC%_GIT}D{0OqlmvgkDoh zS(!Rx!izsNXw6w+FDuB^S`01T|JHouh)}H!zq;OUa@QAq3j@`}MvMxwz9GJISMjTG*}@uITI(lCh3eBpUy>TxI_)7we_Gp}|IBOCetK z(+anRg-26{EbVqc1aGs`U4+Cn!r6~2OsOH;{IT3p8&CBT^r*8$W+lGHBuG@m|hJPxB8rKa` ztD0#ieAmn!Ja_r6YIbI2!@3`+ta6geo;f5Q$|8IhuJfKV+i_pz*nrCYL2;)1d}OMO zj{H3j8NH6G=k3bnuqU4@2=>_b`jQbu$#>$3428GXgihBL%FTiC21RZs!dfIdRDQIT zzcmY(9kEA+-QVl&_bi&#i)KruE_Lar`KjQ*i1(6|w)ZH~E+27t3U4CC&fKQ=zbU~k ze8Vs+SEXa+i`zBt<(*yce=VAoOj9bX*!FxB(2BQZH$I1kn%>RDwq>`Y+jAur!j`vW zPR~@GxPG?ll3VQf<nGD5sT_`k?lH@(gE@_@qTkNmt+$p66o2U0B{KPLy*ElJS z&On8N4cw$@)y}}HUEHPJ8m_Y5E-rBkB_&gj|M&<0AO8e4aDVv6WhS;Q@EP46ct`uX z+{J&Yq51&w-{;OLb{s~j)|`E=W1GKsvt}^kt{=`P=;}?ds`LUD<36k@bCX6XKIMB4y98&JWETe1!-0|;_txZ6P zu8=bT5*BM#Tp|FOb0aoe1ZANq^@%TT^YfyzSN@_da{oC!VQrPJG^);pW4x$&l9IGS zTV~y>dGhp2TV{!3tz@=bCy}z=L592?STS3U>VDmC^RIf!6PI}}3d*8SDefazap~1> zTv;^0kcCc}6gE{yKGSKXMNjB)*zZ6n5R(;O`MY>~VROEvj!(Id7{~9o6OmRSc#4nk zH3n|HSw$QzgOrP)!@nUE_`8VbKOswRf(I@MX`PS1osu@DrhkVTtktT=YDq5GY{UxF z-G&{1T8XsEy#Vu++e6D?wQtR$j5gDrE=%y{4@nCFNC$|Y^X7l!OLU8(KCU{>hQCK1 z1ClDBbLTJ=pmwSjUvGcTMHJWk(0j#@)11F-?|CIU{8gN>Xj8I6lActH7eQj}r;GH; z*w@mT)oa2&?AYpVn7CM2KC`HiY-%ShFBzfeN%Kq z#ftuR2#QphY@#_j{8h%t>PSma{ZY!}JY<49b3tB)yM*tzF&am*Y3b}N%&}?ihy9F> zA%+B2dAHh?#gs2^lx?z=NZt}h0gI!hlEa!A5n@VRk9%cp ze$1O}+FBu$q6V#D?lX`I7pJ{Qb|I6Kj&mUIeEr{bPII2$Bqnhm(DWaFGP@gSuETaR zvECi+gO8E!8FNiq=kaMZTOIxL+B+#!9iQRspI21cJyjG_kFV0f>3_(iQ~e?H>W556 z*Xix_wBswTiEYiygRA1{p5-*JjxV%yFHU!nT@5(KYtd!@lf%59?d*k>=SMMHa4!FM)U~SqrOI%^k$e zE1P6%Q&ubUmTdL1fh9Crb7i)3)6I$mmdzEb%y9FT?n0~1PRbT-vzltr&c(+X@y;I} zRCJ6AcY0>H*ao`J!-tK1E-IVD(MhW0_z3yqWm}2ETUjIN_%c<2@xz|n|JW0%nq0)u zb$lZw<@kbobkiN}@WQ=m%L<=c<0=B5`=fJ~dC1^*S8;q$aK6~DDes?pjxUjHulb~Q zWPrOmm3VHo?a>%@=S&ED2z9>n+FYALWyDk!ZRBfyJcR{YpVbOiRVB32?aVMLX&nU| z)e|P4Nt((DC0iK|%#70Qu1OBh>=NyYCYu&CT-wVKG+aNs#KlvJrc-B;#dDhlJMU|W z&pahax$HEDYQAQ*A>1{~T+v#(*WH*0u|(VJcEc8bH#>qv_N0Z?j1^yOx?H3^L(w)& zQ8Bw$M1gj`qFCM8#T`0Pl_fp-wJKMYI&xu11I3c8B>XW3`TSu?`%ra~#AL%_ic@hl zVu>@cry^vNp&eb=4$G#ShC`)(EE6Z}2yl7#hZaQ6-(@#*8ZzcGaQ~AmeO_=^drnwU zkoF7&7gKlF7oJQCvL~(EYacR)3%C0N$mH`LgM6R|*iGs}`>6Nxx1%y7nlsSz?ux)Cm*!u9+=-i6(HaWJfIY}Co=qz!zsp&xTr3i*0f{o zFh^iQ$ByA>f?g95Awzsmgi-}mYDI4*FoD8o zIY;Cw4*h@v=fF`og_~&UW%7i7ypqldLeq248hw+o(&KMP$bu(pg}IYSy&s@S`#-VW z6gs^DGi{&{;k+~Ygkh6Q=z^5Bf`S(QGRYEp*(7hjIFE1{4k$C`{zgGwamVT9L|^+> zHcJsriZAy8jW=Mt4V~~vS7tW8otU{jBGXmGq0{JeO_s2{X50zDCw{IX@^~@lBwOr;n5R^>iFZ3J4+j7i!RrM-?bBk& zm{TnTxkI-tL=A^cSX>IRrqMFzx1vqN`P$X;v8uPtLLMy9&@$$Cewu87tLLI-Y*>Um zx+Q{5oLmdB7Enxn`Zj<13ZJN03VX4q<7^X@)W0nx*-2b0OB*KJB)E)vmbT4Ai=DL= zqK;N?o7oB%IO)ts?#^E{GUd&2>0jVadH!qDxe-bAwE7v>wO6zCzYACS|GV&V^uNX+ z?s~*dm$k%TT#|;sg?}bo8zETFBFwzztYYI?|9u8M7p=Br$$-i&SW}VW2xHQ;ilp+2 zAw>WMkmyiO7Vqb*tJU)$RR(_Tet+mXu@!fUe?T*Npuj%gT#sYFXjkN)L!(i_78R2= zs$93<>#-rY*`2uV_Pl?~NdkkQg8tvL!GAJU{$JPsB{%&4oaFz^b@_j0F#Sn1|Nmva V$Vq}j{5J&T=MMUL!t(xC`ybipw!HuV literal 0 HcmV?d00001 diff --git a/Solutions/DigitalGuardianDLP/Package/createUiDefinition.json b/Solutions/DigitalGuardianDLP/Package/createUiDefinition.json index fd55f70c7b0..eac1aba0e6b 100644 --- a/Solutions/DigitalGuardianDLP/Package/createUiDefinition.json +++ b/Solutions/DigitalGuardianDLP/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) solution provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\r\n \r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,14 +60,14 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the data connector for ingesting Digital Guardian Data Loss Prevention logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for DigitalGuardianDLP. You can get DigitalGuardianDLP Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { "name": "dataconnectors-parser-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the DigitalGuardianDLPEvent Kusto Function alias." + "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." } }, { @@ -107,6 +107,20 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" } } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "DigitalGuardianDLP", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Sets the time name for analysis" + } + } + ] } ] }, @@ -309,7 +323,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for incident domains. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for incident domains. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -323,7 +337,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for files sent by users. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for files sent by users. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -337,7 +351,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for users' incidents. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for users' incidents. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -351,7 +365,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for insecure file transfer sources. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for insecure file transfer sources. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -365,7 +379,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for inspected files. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for inspected files. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -379,7 +393,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for new incidents. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for new incidents. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -393,7 +407,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for rare destination ports. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for rare destination ports. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -407,7 +421,7 @@ "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches rare network protocols. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches rare network protocols. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -421,7 +435,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for rare Urls. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for rare Urls. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] @@ -435,7 +449,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for URLs used. It depends on the DigitalGuardianDLP data connector and DigitalGuardianDLPEvent data type and DigitalGuardianDLP parser." + "text": "Query searches for URLs used. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)" } } ] diff --git a/Solutions/DigitalGuardianDLP/Package/mainTemplate.json b/Solutions/DigitalGuardianDLP/Package/mainTemplate.json index 79fe78496d3..6c9c8582f6e 100644 --- a/Solutions/DigitalGuardianDLP/Package/mainTemplate.json +++ b/Solutions/DigitalGuardianDLP/Package/mainTemplate.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "metadata": { "author": "Microsoft - support@microsoft.com", - "comments": "Solution template for Digital Guardian Data Loss Prevention" + "comments": "Solution template for DigitalGuardianDLP" }, "parameters": { "location": { @@ -42,191 +42,339 @@ "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", + "_solutionName": "DigitalGuardianDLP", + "_solutionVersion": "3.0.0", + "uiConfigId1": "DigitalGuardianDLP", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "DigitalGuardianDLP", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "parserName1": "DigitalGuardianDLP Data Parser", + "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", + "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "_parserId1": "[variables('parserId1')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", + "parserVersion1": "1.0.0", + "parserContentId1": "DigitalGuardianDLPEvent-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "DigitalGuardianWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "analyticRuleVersion1": "1.0.0", "analyticRulecontentId1": "b52cda18-c1af-40e5-91f3-1fcbf9fa267e", "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", "analyticRuleVersion2": "1.0.0", "analyticRulecontentId2": "39e25deb-49bb-4cdb-89c1-c466d596e2bd", "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", "analyticRuleVersion3": "1.0.0", "analyticRulecontentId3": "f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8", "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", "analyticRuleVersion4": "1.0.0", "analyticRulecontentId4": "edead9b5-243a-466b-ae78-2dae32ab1117", "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", "analyticRuleVersion5": "1.0.0", "analyticRulecontentId5": "a19885c8-1e44-47e3-81df-d1d109f5c92d", "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", "analyticRuleVersion6": "1.0.0", "analyticRulecontentId6": "5f75a873-b524-4ba5-a3b8-2c20db517148", "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", "analyticRuleVersion7": "1.0.0", "analyticRulecontentId7": "e8901dac-2549-4948-b793-5197a5ed697a", "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", "analyticRuleVersion8": "1.0.0", "analyticRulecontentId8": "a374a933-f6c4-4200-8682-70402a9054dd", "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", "analyticRuleVersion9": "1.0.0", "analyticRulecontentId9": "a14f2f95-bbd2-4036-ad59-e3aff132b296", "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", "analyticRuleVersion10": "1.0.0", "analyticRulecontentId10": "07bca129-e7d6-4421-b489-32abade0b6a7", "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", "huntingQueryVersion1": "1.0.0", "huntingQuerycontentId1": "444c91d4-e4b8-4adc-9b05-61fe908441b8", "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", + "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", "huntingQueryVersion2": "1.0.0", "huntingQuerycontentId2": "66dd7ab7-bbc0-48b7-a3b9-4e71e610df48", "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", + "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", "huntingQueryVersion3": "1.0.0", "huntingQuerycontentId3": "83d5652c-025c-4cee-9f33-3bc114648859", "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", + "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", "huntingQueryVersion4": "1.0.0", "huntingQuerycontentId4": "196930a4-bd79-4800-b2bb-582a8f1c8dd4", "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", + "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", "huntingQueryVersion5": "1.0.0", "huntingQuerycontentId5": "e459b709-55f7-48b6-8afc-0ae1062d3584", "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", + "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", "huntingQueryVersion6": "1.0.0", "huntingQuerycontentId6": "ae482a2c-b4e7-46fc-aeb7-744f7aad27ea", "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]", + "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]", "huntingQueryVersion7": "1.0.0", "huntingQuerycontentId7": "82cba92e-fe2f-4bba-9b46-647040b24090", "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]", "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]", + "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]", "huntingQueryVersion8": "1.0.0", "huntingQuerycontentId8": "8ab2f0db-baa1-495c-a8dd-718b81d0b8c7", "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]", "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]", + "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]", "huntingQueryVersion9": "1.0.0", "huntingQuerycontentId9": "b9a69da9-1ca0-4e09-a24f-5d88d57e0402", "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]", "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]", - "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9')))]", + "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]", + "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]", "huntingQueryVersion10": "1.0.0", "huntingQuerycontentId10": "310433ca-67aa-406d-bbdf-c167a474b0a0", "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]", "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]", - "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10')))]", - "parserVersion1": "1.0.0", - "parserContentId1": "DigitalGuardianDLPEvent-Parser", - "_parserContentId1": "[variables('parserContentId1')]", - "parserName1": "DigitalGuardianDLP Data Parser", - "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", - "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]", - "uiConfigId1": "DigitalGuardianDLP", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "DigitalGuardianDLP", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0" + "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]", + "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('workbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Workbook with template", - "displayName": "Digital Guardian Data Loss Prevention workbook template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianWorkbook Workbook with template version 2.0.1", + "description": "Digital Guardian Data Loss Prevention data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", + "contentVersion": "[variables('dataConnectorVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Sets the time name for analysis" - }, + "kind": "GenericUI", "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **DigitalGuardianDLPEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-DigitalGuardian-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"green\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"45\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| summarize count() by NetworkApplicationProtocol\",\"size\":3,\"title\":\"Network Protocols\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Data Connector Statistics\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr)\",\"size\":3,\"title\":\"IP Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcUserName)\\n| summarize dcount(SrcUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcIpAddr)\\n| summarize dcount(SrcIpAddr)\",\"size\":3,\"title\":\"Hosts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(IncidentId)\\n| summarize dcount(IncidentId)\",\"size\":3,\"title\":\"Total Incidents\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"customWidth\":\"20\",\"name\":\"group - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Source Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"cat\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"35\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcUserName)\\n| summarize count() by SrcUserName\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"35\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(http_url)\\n| extend u = parse_url(http_url)\\n| extend Domain = tostring(u.Host)\\n| summarize count() by Domain\\n| project Domain, EventCount=count_\",\"size\":3,\"title\":\"Top domains\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10}},\"customWidth\":\"30\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(DstUserName)\\n| summarize f = makeset(inspected_document) by DstUserName\\n| project Email = DstUserName, Files = f, FileCount = array_length(f)\",\"size\":0,\"title\":\"Top Recipients\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalMailsReceived\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(inspected_document)\\r\\n| order by TimeGenerated\\r\\n| project File=inspected_document, User=SrcUserName, Policy=MatchedPolicies\",\"size\":0,\"title\":\"Inspected files\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total Bytes (KB)\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TrafficVolume(MB)\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"55\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(IncidentStatus)\\r\\n| extend inc_act = split(IncidentStatus, ',')\\r\\n| where inc_act has 'New'\\r\\n| order by TimeGenerated\\r\\n| project TimeGenerated, User=SrcUserName, File=inspected_document, MatchedPolicies\\r\\n\",\"size\":0,\"title\":\"New Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-DigitalGuardianWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Digital Guardian Data Loss Prevention (using Azure Functions)", + "publisher": "Digital Guardian", + "descriptionMarkdown": "[Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "DigitalGuardianDLPEvent", + "baseQuery": "DigitalGuardianDLPEvent" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Clients (Source IP)", + "query": "DigitalGuardianDLPEvent\n | where notempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "Syslog (DigitalGuardianDLPEvent)", + "lastDataReceivedQuery": "DigitalGuardianDLPEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "DigitalGuardianDLPEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "write permission is required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "Follow these steps to configure Digital Guardian to forward logs via Syslog:\n\n1.1. Log in to the Digital Guardian Management Console.\n\n1.2. Select **Workspace** > **Data Export** > **Create Export**.\n\n1.3. From the **Data Sources** list, select **Alerts** or **Events** as the data source.\n\n1.4. From the **Export type** list, select **Syslog**.\n\n1.5. From the **Type list**, select **UDP** or **TCP** as the transport protocol.\n\n1.6. In the **Server** field, type the IP address of your Remote Syslog server.\n\n1.7. In the **Port** field, type 514 (or other port if your Syslog server was configured to use non-default port).\n\n1.8. From the **Severity Level** list, select a severity level.\n\n1.9. Select the **Is Active** check box.\n\n1.9. Click **Next**.\n\n1.10. From the list of available fields, add Alert or Event fields for your data export.\n\n1.11. Select a Criteria for the fields in your data export and click **Next**.\n\n1.12. Select a group for the criteria and click **Next**.\n\n1.13. Click **Test Query**.\n\n1.14. Click **Next**.\n\n1.15. Save the data export.", + "title": "1. Configure Digital Guardian to forward logs via Syslog to remote server where you will install the agent." + }, + { + "description": "Install the agent on the Server to which the logs will be forwarded.\n\n> Logs on Linux or Windows servers are collected by **Linux** or **Windows** agents.", + "instructions": [ + { + "parameters": { + "title": "Choose where to install the Linux agent:", + "instructionSteps": [ + { + "title": "Install agent on Azure Linux Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Linux Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. Install and onboard the agent for Linux or Windows" + }, + { + "instructions": [ + { + "parameters": { + "title": "Choose where to install the Windows agent:", + "instructionSteps": [ + { + "title": "Install agent on Azure Windows Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Windows Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table.", + "title": "3. Check logs in Microsoft Sentinel" + } + ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { - "description": "@{workbookKey=DigitalGuardianWorkbook; logoFileName=Azure_Sentinel.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=DigitalGuardianDLP; templateRelativePath=DigitalGuardian.json; subtitle=; provider=Digital Guardian}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -245,199 +393,241 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Digital Guardian Data Loss Prevention (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName1')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 1 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Digital Guardian Data Loss Prevention", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" - ], + "kind": "GenericUI", "properties": { - "description": "DigitalGuardianClassifiedDataInsecureTransfer_AnalyticalRules Analytics Rule with template version 2.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId1')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects sensitive data transfer over insecure channel.", - "displayName": "Digital Guardian - Sensitive data transfer over insecure channel", - "enabled": false, - "query": "DigitalGuardianDLPEvent\n| where isnotempty(MatchedPolicies)\n| where isnotempty(inspected_document)\n| where NetworkApplicationProtocol =~ 'HTTP'\n| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "DigitalGuardianDLPEvent" - ], - "connectorId": "DigitalGuardianDLP" - } - ], - "tactics": [ - "Exfiltration" - ], - "entityMappings": [ - { - "fieldMappings": [ + "connectorUiConfig": { + "title": "Digital Guardian Data Loss Prevention (using Azure Functions)", + "publisher": "Digital Guardian", + "descriptionMarkdown": "[Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "DigitalGuardianDLPEvent", + "baseQuery": "DigitalGuardianDLPEvent" + } + ], + "dataTypes": [ + { + "name": "Syslog (DigitalGuardianDLPEvent)", + "lastDataReceivedQuery": "DigitalGuardianDLPEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "DigitalGuardianDLPEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Top 10 Clients (Source IP)", + "query": "DigitalGuardianDLPEvent\n | where notempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "write permission is required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "Follow these steps to configure Digital Guardian to forward logs via Syslog:\n\n1.1. Log in to the Digital Guardian Management Console.\n\n1.2. Select **Workspace** > **Data Export** > **Create Export**.\n\n1.3. From the **Data Sources** list, select **Alerts** or **Events** as the data source.\n\n1.4. From the **Export type** list, select **Syslog**.\n\n1.5. From the **Type list**, select **UDP** or **TCP** as the transport protocol.\n\n1.6. In the **Server** field, type the IP address of your Remote Syslog server.\n\n1.7. In the **Port** field, type 514 (or other port if your Syslog server was configured to use non-default port).\n\n1.8. From the **Severity Level** list, select a severity level.\n\n1.9. Select the **Is Active** check box.\n\n1.9. Click **Next**.\n\n1.10. From the list of available fields, add Alert or Event fields for your data export.\n\n1.11. Select a Criteria for the fields in your data export and click **Next**.\n\n1.12. Select a group for the criteria and click **Next**.\n\n1.13. Click **Test Query**.\n\n1.14. Click **Next**.\n\n1.15. Save the data export.", + "title": "1. Configure Digital Guardian to forward logs via Syslog to remote server where you will install the agent." + }, + { + "description": "Install the agent on the Server to which the logs will be forwarded.\n\n> Logs on Linux or Windows servers are collected by **Linux** or **Windows** agents.", + "instructions": [ + { + "parameters": { + "title": "Choose where to install the Linux agent:", + "instructionSteps": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "title": "Install agent on Azure Linux Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Linux Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxNonAzure" + }, + "type": "InstallAgent" + } + ] } - ], - "entityType": "Account" + ] }, - { - "fieldMappings": [ + "type": "InstructionStepsGroup" + } + ], + "title": "2. Install and onboard the agent for Linux or Windows" + }, + { + "instructions": [ + { + "parameters": { + "title": "Choose where to install the Windows agent:", + "instructionSteps": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "title": "Install agent on Azure Windows Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Windows Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnNonAzure" + }, + "type": "InstallAgent" + } + ] } - ], - "entityType": "IP" - } - ] - } + ] + }, + "type": "InstructionStepsGroup" + } + ] }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", - "source": { - "kind": "Solution", - "name": "Digital Guardian Data Loss Prevention", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } + "description": "Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table.", + "title": "3. Check logs in Microsoft Sentinel" } - ] + ], + "id": "[variables('_uiConfigId1')]", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution." } } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 2 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianExfiltrationOverDNS_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianDLPEvent Data Parser with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", + "contentVersion": "[variables('parserVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId2')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "name": "[variables('_parserName1')]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects exfiltration using DNS protocol.", - "displayName": "Digital Guardian - Exfiltration using DNS protocol", - "enabled": false, - "query": "DigitalGuardianDLPEvent\n| where DstPortNumber == 53\n| extend AccountCustomEntity = SrcUserName\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "DigitalGuardianDLPEvent" - ], - "connectorId": "DigitalGuardianDLP" - } - ], - "tactics": [ - "Exfiltration" - ], - "entityMappings": [ + "eTag": "*", + "displayName": "DigitalGuardianDLP Data Parser", + "category": "Microsoft Sentinel Parser", + "functionAlias": "DigitalGuardianDLPEvent", + "query": "Syslog\n| where SyslogMessage contains 'managed_device_id' and SyslogMessage contains 'number_of_incidents'\n| mv-apply ExtractedFields = extract_all(@'\\s(?P[a-zA-Z0-9-_]+)=\\\"?(?P[a-zA-Z0-9-_:/@.,#{}>< ]+)\\\"?', dynamic([\"key\",\"value\"]), SyslogMessage) on (\n project packed = pack(tostring(ExtractedFields[0]), tostring(ExtractedFields[1]))\n | summarize bag = make_bag(packed)\n)\n| evaluate bag_unpack(bag)\n| extend EventEndTime=todatetime(timestamp)\n| project-away timestamp\n| project-rename DvcAvtion=action_taken\n , DstUserName=destination\n , DstIpAddr=destination_ip\n , DstPortNumber=destination_port\n , IncidentId=incident_id\n , IncidentStatus=incident_status\n , IncidentsUrl=incidents_url\n , MatchedPolicies=matched_policies_by_severity\n , EventCount=number_of_incidents\n , NetworkApplicationProtocol=protocol\n , SrcUserName=source\n , SrcIpAddr=source_ip\n , SrcPortNumber=source_port\n", + "functionParameters": "", + "version": 2, + "tags": [ { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "Name" - } - ], - "entityType": "Account" + "name": "description", + "value": "" } ] } @@ -445,16 +635,18 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "dependsOn": [ + "[variables('_parserId1')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", "source": { - "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", + "kind": "Solution", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -470,96 +662,114 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_parserContentId1')]", + "contentKind": "Parser", + "displayName": "DigitalGuardianDLP Data Parser", + "contentProductId": "[variables('_parsercontentProductId1')]", + "id": "[variables('_parsercontentProductId1')]", + "version": "[variables('parserVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName3')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('_parserName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 3 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" + "eTag": "*", + "displayName": "DigitalGuardianDLP Data Parser", + "category": "Microsoft Sentinel Parser", + "functionAlias": "DigitalGuardianDLPEvent", + "query": "Syslog\n| where SyslogMessage contains 'managed_device_id' and SyslogMessage contains 'number_of_incidents'\n| mv-apply ExtractedFields = extract_all(@'\\s(?P[a-zA-Z0-9-_]+)=\\\"?(?P[a-zA-Z0-9-_:/@.,#{}>< ]+)\\\"?', dynamic([\"key\",\"value\"]), SyslogMessage) on (\n project packed = pack(tostring(ExtractedFields[0]), tostring(ExtractedFields[1]))\n | summarize bag = make_bag(packed)\n)\n| evaluate bag_unpack(bag)\n| extend EventEndTime=todatetime(timestamp)\n| project-away timestamp\n| project-rename DvcAvtion=action_taken\n , DstUserName=destination\n , DstIpAddr=destination_ip\n , DstPortNumber=destination_port\n , IncidentId=incident_id\n , IncidentStatus=incident_status\n , IncidentsUrl=incidents_url\n , MatchedPolicies=matched_policies_by_severity\n , EventCount=number_of_incidents\n , NetworkApplicationProtocol=protocol\n , SrcUserName=source\n , SrcIpAddr=source_ip\n , SrcPortNumber=source_port\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "dependsOn": [ + "[variables('_parserId1')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", + "source": { + "kind": "Solution", + "name": "Digital Guardian Data Loss Prevention", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianExfiltrationToFileShareServices_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", + "contentVersion": "[variables('workbookVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId3')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Sets the time name for analysis" + }, "properties": { - "description": "Detects exfiltration to online fileshare.", - "displayName": "Digital Guardian - Exfiltration to online fileshare", - "enabled": false, - "query": "let threshold = 10;\nDigitalGuardianDLPEvent\n| where isnotempty(inspected_document)\n| where http_url contains 'dropbox' or http_url contains 'mega.nz'\n| summarize f = dcount(inspected_document) by SrcUserName, bin(TimeGenerated, 30m)\n| where f >= threshold\n| extend AccountCustomEntity = SrcUserName\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "DigitalGuardianDLPEvent" - ], - "connectorId": "DigitalGuardianDLP" - } - ], - "tactics": [ - "Exfiltration" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "Name" - } - ], - "entityType": "Account" - } - ] + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **DigitalGuardianDLPEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-DigitalGuardian-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"green\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"45\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| summarize count() by NetworkApplicationProtocol\",\"size\":3,\"title\":\"Network Protocols\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Data Connector Statistics\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr)\",\"size\":3,\"title\":\"IP Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcUserName)\\n| summarize dcount(SrcUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcIpAddr)\\n| summarize dcount(SrcIpAddr)\",\"size\":3,\"title\":\"Hosts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(IncidentId)\\n| summarize dcount(IncidentId)\",\"size\":3,\"title\":\"Total Incidents\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"customWidth\":\"20\",\"name\":\"group - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Source Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"cat\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"35\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcUserName)\\n| summarize count() by SrcUserName\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"35\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(http_url)\\n| extend u = parse_url(http_url)\\n| extend Domain = tostring(u.Host)\\n| summarize count() by Domain\\n| project Domain, EventCount=count_\",\"size\":3,\"title\":\"Top domains\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10}},\"customWidth\":\"30\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(DstUserName)\\n| summarize f = makeset(inspected_document) by DstUserName\\n| project Email = DstUserName, Files = f, FileCount = array_length(f)\",\"size\":0,\"title\":\"Top Recipients\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalMailsReceived\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(inspected_document)\\r\\n| order by TimeGenerated\\r\\n| project File=inspected_document, User=SrcUserName, Policy=MatchedPolicies\",\"size\":0,\"title\":\"Inspected files\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total Bytes (KB)\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TrafficVolume(MB)\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"55\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(IncidentStatus)\\r\\n| extend inc_act = split(IncidentStatus, ',')\\r\\n| where inc_act has 'New'\\r\\n| order by TimeGenerated\\r\\n| project TimeGenerated, User=SrcUserName, File=inspected_document, MatchedPolicies\\r\\n\",\"size\":0,\"title\":\"New Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-DigitalGuardianWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", + "description": "@{workbookKey=DigitalGuardianWorkbook; logoFileName=Azure_Sentinel.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=DigitalGuardianDLP; templateRelativePath=DigitalGuardian.json; subtitle=; provider=Digital Guardian}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -574,61 +784,67 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "DigitalGuardianDLPEvent", + "kind": "DataType" + }, + { + "contentId": "DigitalGuardianDLP", + "kind": "DataConnector" + } + ] } } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 4 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianFileSentToExternal_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianClassifiedDataInsecureTransfer_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", + "contentVersion": "[variables('analyticRuleVersion1')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId4')]", + "name": "[variables('analyticRulecontentId1')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects exfiltration to private email.", - "displayName": "Digital Guardian - Exfiltration to private email", + "description": "Detects sensitive data transfer over insecure channel.", + "displayName": "Digital Guardian - Sensitive data transfer over insecure channel", "enabled": false, - "query": "DigitalGuardianDLPEvent\n| where NetworkApplicationProtocol =~ 'SMTP'\n| where isnotempty(inspected_document)\n| extend s_user = substring(SrcUserName, 0, indexof(SrcUserName, '@'))\n| extend d_user = substring(DstUserName, 0, indexof(DstUserName, '@'))\n| extend s_domain = extract(@'@(.*)', 1, SrcUserName)\n| extend d_domain = extract(@'@(.*)', 1, DstUserName)\n| where s_domain != d_domain\n| where s_user == d_user\n| extend AccountCustomEntity = SrcUserName\n", + "query": "DigitalGuardianDLPEvent\n| where isnotempty(MatchedPolicies)\n| where isnotempty(inspected_document)\n| where NetworkApplicationProtocol =~ 'HTTP'\n| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", - "severity": "High", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -645,6 +861,9 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { "fieldMappings": [ @@ -654,6 +873,15 @@ } ], "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ], + "entityType": "IP" } ] } @@ -661,13 +889,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", + "description": "DigitalGuardianDLP Analytics Rule 1", + "parentId": "[variables('analyticRuleId1')]", + "contentId": "[variables('_analyticRulecontentId1')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", + "version": "[variables('analyticRuleVersion1')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -686,57 +914,50 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 5 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Sensitive data transfer over insecure channel", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianFileSentToExternalDomain_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianExfiltrationOverDNS_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", + "contentVersion": "[variables('analyticRuleVersion2')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId5')]", + "name": "[variables('analyticRulecontentId2')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects exfiltration to external domain.", - "displayName": "Digital Guardian - Exfiltration to external domain", + "description": "Detects exfiltration using DNS protocol.", + "displayName": "Digital Guardian - Exfiltration using DNS protocol", "enabled": false, - "query": "let corp_domain = dynamic(['example.com']); //add all corporate domains to this list\nDigitalGuardianDLPEvent\n| where NetworkApplicationProtocol =~ 'SMTP'\n| where isnotempty(inspected_document)\n| extend s_domain = extract(@'@(.*)', 1, SrcUserName)\n| extend d_domain = extract(@'@(.*)', 1, DstUserName)\n| where s_domain in~ (corp_domain)\n| where d_domain !in (corp_domain)\n| extend AccountCustomEntity = SrcUserName\n", + "query": "DigitalGuardianDLPEvent\n| where DstPortNumber == 53\n| extend AccountCustomEntity = SrcUserName\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", - "severity": "Medium", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -753,6 +974,9 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { "fieldMappings": [ @@ -769,13 +993,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", + "description": "DigitalGuardianDLP Analytics Rule 2", + "parentId": "[variables('analyticRuleId2')]", + "contentId": "[variables('_analyticRulecontentId2')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", + "version": "[variables('analyticRuleVersion2')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -794,57 +1018,50 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 6 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Exfiltration using DNS protocol", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianFilesSentToExternalDomain_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianExfiltrationToFileShareServices_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", + "contentVersion": "[variables('analyticRuleVersion3')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId6')]", + "name": "[variables('analyticRulecontentId3')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects bulk exfiltration to external domain.", - "displayName": "Digital Guardian - Bulk exfiltration to external domain", + "description": "Detects exfiltration to online fileshare.", + "displayName": "Digital Guardian - Exfiltration to online fileshare", "enabled": false, - "query": "let threshold = 10;\nlet corp_domain = dynamic(['example.com']);\nDigitalGuardianDLPEvent\n| where NetworkApplicationProtocol =~ 'SMTP'\n| where isnotempty(inspected_document)\n| extend s_domain = extract(@'@(.*)', 1, SrcUserName)\n| extend d_domain = extract(@'@(.*)', 1, DstUserName)\n| where s_domain in~ (corp_domain)\n| where d_domain !in (corp_domain)\n| summarize f = dcount(inspected_document) by SrcUserName, DstUserName, bin(TimeGenerated, 30m)\n| where f >= threshold\n| extend AccountCustomEntity = SrcUserName\n", + "query": "let threshold = 10;\nDigitalGuardianDLPEvent\n| where isnotempty(inspected_document)\n| where http_url contains 'dropbox' or http_url contains 'mega.nz'\n| summarize f = dcount(inspected_document) by SrcUserName, bin(TimeGenerated, 30m)\n| where f >= threshold\n| extend AccountCustomEntity = SrcUserName\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", - "severity": "Medium", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -861,6 +1078,9 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { "fieldMappings": [ @@ -877,13 +1097,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", + "description": "DigitalGuardianDLP Analytics Rule 3", + "parentId": "[variables('analyticRuleId3')]", + "contentId": "[variables('_analyticRulecontentId3')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", + "version": "[variables('analyticRuleVersion3')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -902,54 +1122,47 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 7 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId3')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Exfiltration to online fileshare", + "contentProductId": "[variables('_analyticRulecontentProductId3')]", + "id": "[variables('_analyticRulecontentProductId3')]", + "version": "[variables('analyticRuleVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianMultipleIncidentsFromUser_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianFileSentToExternal_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion7')]", + "contentVersion": "[variables('analyticRuleVersion4')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId7')]", + "name": "[variables('analyticRulecontentId4')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects multiple incidents from user.", - "displayName": "Digital Guardian - Multiple incidents from user", + "description": "Detects exfiltration to private email.", + "displayName": "Digital Guardian - Exfiltration to private email", "enabled": false, - "query": "let threshold = 2;\nDigitalGuardianDLPEvent\n| where isnotempty(MatchedPolicies)\n| summarize count() by SrcUserName, bin(TimeGenerated, 30m)\n| where count_ >= threshold\n| extend AccountCustomEntity = SrcUserName\n", + "query": "DigitalGuardianDLPEvent\n| where NetworkApplicationProtocol =~ 'SMTP'\n| where isnotempty(inspected_document)\n| extend s_user = substring(SrcUserName, 0, indexof(SrcUserName, '@'))\n| extend d_user = substring(DstUserName, 0, indexof(DstUserName, '@'))\n| extend s_domain = extract(@'@(.*)', 1, SrcUserName)\n| extend d_domain = extract(@'@(.*)', 1, DstUserName)\n| where s_domain != d_domain\n| where s_user == d_user\n| extend AccountCustomEntity = SrcUserName\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "High", @@ -969,6 +1182,9 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { "fieldMappings": [ @@ -985,13 +1201,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 7", - "parentId": "[variables('analyticRuleId7')]", - "contentId": "[variables('_analyticRulecontentId7')]", + "description": "DigitalGuardianDLP Analytics Rule 4", + "parentId": "[variables('analyticRuleId4')]", + "contentId": "[variables('_analyticRulecontentId4')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion7')]", + "version": "[variables('analyticRuleVersion4')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -1007,60 +1223,53 @@ "tier": "Microsoft", "link": "https://support.microsoft.com" } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 8 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId4')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Exfiltration to private email", + "contentProductId": "[variables('_analyticRulecontentProductId4')]", + "id": "[variables('_analyticRulecontentProductId4')]", + "version": "[variables('analyticRuleVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianPossibleProtocolAbuse_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianFileSentToExternalDomain_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion8')]", + "contentVersion": "[variables('analyticRuleVersion5')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId8')]", + "name": "[variables('analyticRulecontentId5')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects possible SMTP protocol abuse.", - "displayName": "Digital Guardian - Possible SMTP protocol abuse", + "description": "Detects exfiltration to external domain.", + "displayName": "Digital Guardian - Exfiltration to external domain", "enabled": false, - "query": "DigitalGuardianDLPEvent\n| where NetworkApplicationProtocol =~ 'SMTP'\n| where DstPortNumber != 25\n| extend AccountCustomEntity = SrcUserName\n", + "query": "let corp_domain = dynamic(['example.com']); //add all corporate domains to this list\nDigitalGuardianDLPEvent\n| where NetworkApplicationProtocol =~ 'SMTP'\n| where isnotempty(inspected_document)\n| extend s_domain = extract(@'@(.*)', 1, SrcUserName)\n| extend d_domain = extract(@'@(.*)', 1, DstUserName)\n| where s_domain in~ (corp_domain)\n| where d_domain !in (corp_domain)\n| extend AccountCustomEntity = SrcUserName\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", - "severity": "High", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -1077,6 +1286,9 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { "fieldMappings": [ @@ -1093,13 +1305,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 8", - "parentId": "[variables('analyticRuleId8')]", - "contentId": "[variables('_analyticRulecontentId8')]", + "description": "DigitalGuardianDLP Analytics Rule 5", + "parentId": "[variables('analyticRuleId5')]", + "contentId": "[variables('_analyticRulecontentId5')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion8')]", + "version": "[variables('analyticRuleVersion5')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -1118,57 +1330,50 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName9')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 9 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId5')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Exfiltration to external domain", + "contentProductId": "[variables('_analyticRulecontentProductId5')]", + "id": "[variables('_analyticRulecontentProductId5')]", + "version": "[variables('analyticRuleVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianUnexpectedProtocol_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianFilesSentToExternalDomain_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion9')]", + "contentVersion": "[variables('analyticRuleVersion6')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId9')]", + "name": "[variables('analyticRulecontentId6')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects RDP protocol usage for data transfer which is not common.", - "displayName": "Digital Guardian - Unexpected protocol", + "description": "Detects bulk exfiltration to external domain.", + "displayName": "Digital Guardian - Bulk exfiltration to external domain", "enabled": false, - "query": "DigitalGuardianDLPEvent\n| where DstPortNumber == 3389\n| extend AccountCustomEntity = SrcUserName\n", + "query": "let threshold = 10;\nlet corp_domain = dynamic(['example.com']);\nDigitalGuardianDLPEvent\n| where NetworkApplicationProtocol =~ 'SMTP'\n| where isnotempty(inspected_document)\n| extend s_domain = extract(@'@(.*)', 1, SrcUserName)\n| extend d_domain = extract(@'@(.*)', 1, DstUserName)\n| where s_domain in~ (corp_domain)\n| where d_domain !in (corp_domain)\n| summarize f = dcount(inspected_document) by SrcUserName, DstUserName, bin(TimeGenerated, 30m)\n| where f >= threshold\n| extend AccountCustomEntity = SrcUserName\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", - "severity": "High", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -1185,6 +1390,9 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { "fieldMappings": [ @@ -1201,13 +1409,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 9", - "parentId": "[variables('analyticRuleId9')]", - "contentId": "[variables('_analyticRulecontentId9')]", + "description": "DigitalGuardianDLP Analytics Rule 6", + "parentId": "[variables('analyticRuleId6')]", + "contentId": "[variables('_analyticRulecontentId6')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion9')]", + "version": "[variables('analyticRuleVersion6')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -1226,54 +1434,47 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName10')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 10 with template", - "displayName": "Digital Guardian Data Loss Prevention Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId6')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Bulk exfiltration to external domain", + "contentProductId": "[variables('_analyticRulecontentProductId6')]", + "id": "[variables('_analyticRulecontentProductId6')]", + "version": "[variables('analyticRuleVersion6')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName7')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianViolationNotBlocked_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "DigitalGuardianMultipleIncidentsFromUser_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion10')]", + "contentVersion": "[variables('analyticRuleVersion7')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId10')]", + "name": "[variables('analyticRulecontentId7')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects when incident has not block action.", - "displayName": "Digital Guardian - Incident with not blocked action", + "description": "Detects multiple incidents from user.", + "displayName": "Digital Guardian - Multiple incidents from user", "enabled": false, - "query": "DigitalGuardianDLPEvent\n| where isnotempty(IncidentStatus)\n| extend inc_act = split(IncidentStatus, ',')\n| where inc_act has 'New'\n| where inc_act !contains 'Block'\n| extend AccountCustomEntity = SrcUserName\n", + "query": "let threshold = 2;\nDigitalGuardianDLPEvent\n| where isnotempty(MatchedPolicies)\n| summarize count() by SrcUserName, bin(TimeGenerated, 30m)\n| where count_ >= threshold\n| extend AccountCustomEntity = SrcUserName\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "High", @@ -1293,6 +1494,9 @@ "tactics": [ "Exfiltration" ], + "techniques": [ + "T1048" + ], "entityMappings": [ { "fieldMappings": [ @@ -1309,13 +1513,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Analytics Rule 10", - "parentId": "[variables('analyticRuleId10')]", - "contentId": "[variables('_analyticRulecontentId10')]", + "description": "DigitalGuardianDLP Analytics Rule 7", + "parentId": "[variables('analyticRuleId7')]", + "contentId": "[variables('_analyticRulecontentId7')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion10')]", + "version": "[variables('analyticRuleVersion7')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -1334,66 +1538,78 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 1 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId7')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Multiple incidents from user", + "contentProductId": "[variables('_analyticRulecontentProductId7')]", + "id": "[variables('_analyticRulecontentProductId7')]", + "version": "[variables('analyticRuleVersion7')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName8')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianDomains_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianPossibleProtocolAbuse_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", + "contentVersion": "[variables('analyticRuleVersion8')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_1", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId8')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "Digital Guardian - Incident domains", - "category": "Hunting Queries", - "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(http_url)\n| extend u = parse_url(http_url)\n| extend domain=u.Host\n| summarize count() by tostring(domain), SrcUserName\n| extend AccountCustomEntity = SrcUserName\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query searches for incident domains." - }, + "description": "Detects possible SMTP protocol abuse.", + "displayName": "Digital Guardian - Possible SMTP protocol abuse", + "enabled": false, + "query": "DigitalGuardianDLPEvent\n| where NetworkApplicationProtocol =~ 'SMTP'\n| where DstPortNumber != 25\n| extend AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "tactics", - "value": "Exfiltration" - }, + "dataTypes": [ + "DigitalGuardianDLPEvent" + ], + "connectorId": "DigitalGuardianDLP" + } + ], + "tactics": [ + "Exfiltration" + ], + "techniques": [ + "T1048" + ], + "entityMappings": [ { - "name": "techniques", - "value": "T1048" + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ], + "entityType": "Account" } ] } @@ -1401,13 +1617,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", + "description": "DigitalGuardianDLP Analytics Rule 8", + "parentId": "[variables('analyticRuleId8')]", + "contentId": "[variables('_analyticRulecontentId8')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion8')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -1426,66 +1642,78 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 2 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId8')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Possible SMTP protocol abuse", + "contentProductId": "[variables('_analyticRulecontentProductId8')]", + "id": "[variables('_analyticRulecontentProductId8')]", + "version": "[variables('analyticRuleVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianFilesSentByUsers_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianUnexpectedProtocol_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", + "contentVersion": "[variables('analyticRuleVersion9')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_2", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId9')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "Digital Guardian - Files sent by users", - "category": "Hunting Queries", - "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(inspected_document)\n| summarize Files = makeset(inspected_document) by SrcUserName\n| extend AccountCustomEntity = SrcUserName\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query searches for files sent by users." - }, + "description": "Detects RDP protocol usage for data transfer which is not common.", + "displayName": "Digital Guardian - Unexpected protocol", + "enabled": false, + "query": "DigitalGuardianDLPEvent\n| where DstPortNumber == 3389\n| extend AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "tactics", - "value": "Exfiltration" - }, + "dataTypes": [ + "DigitalGuardianDLPEvent" + ], + "connectorId": "DigitalGuardianDLP" + } + ], + "tactics": [ + "Exfiltration" + ], + "techniques": [ + "T1048" + ], + "entityMappings": [ { - "name": "techniques", - "value": "T1048" + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ], + "entityType": "Account" } ] } @@ -1493,13 +1721,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", + "description": "DigitalGuardianDLP Analytics Rule 9", + "parentId": "[variables('analyticRuleId9')]", + "contentId": "[variables('_analyticRulecontentId9')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion9')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -1518,66 +1746,78 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 3 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId9')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Unexpected protocol", + "contentProductId": "[variables('_analyticRulecontentProductId9')]", + "id": "[variables('_analyticRulecontentProductId9')]", + "version": "[variables('analyticRuleVersion9')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianIncidentsByUser_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianViolationNotBlocked_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion3')]", + "contentVersion": "[variables('analyticRuleVersion10')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_3", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Digital Guardian - Users' incidents", - "category": "Hunting Queries", - "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(IncidentStatus)\n| where inc_act has 'New'\n| summarize makeset(IncidentsUrl) by SrcUserName\n| extend AccountCustomEntity = SrcUserName\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query searches for users' incidents." - }, + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId10')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when incident has not block action.", + "displayName": "Digital Guardian - Incident with not blocked action", + "enabled": false, + "query": "DigitalGuardianDLPEvent\n| where isnotempty(IncidentStatus)\n| extend inc_act = split(IncidentStatus, ',')\n| where inc_act has 'New'\n| where inc_act !contains 'Block'\n| extend AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "tactics", - "value": "Exfiltration" - }, + "dataTypes": [ + "DigitalGuardianDLPEvent" + ], + "connectorId": "DigitalGuardianDLP" + } + ], + "tactics": [ + "Exfiltration" + ], + "techniques": [ + "T1048" + ], + "entityMappings": [ { - "name": "techniques", - "value": "T1048" + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ], + "entityType": "Account" } ] } @@ -1585,13 +1825,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 3", - "parentId": "[variables('huntingQueryId3')]", - "contentId": "[variables('_huntingQuerycontentId3')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion3')]", + "description": "DigitalGuardianDLP Analytics Rule 10", + "parentId": "[variables('analyticRuleId10')]", + "contentId": "[variables('_analyticRulecontentId10')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion10')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -1610,58 +1850,51 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 4 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId10')]", + "contentKind": "AnalyticsRule", + "displayName": "Digital Guardian - Incident with not blocked action", + "contentProductId": "[variables('_analyticRulecontentProductId10')]", + "id": "[variables('_analyticRulecontentProductId10')]", + "version": "[variables('analyticRuleVersion10')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianInsecureProtocolSources_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianDomains_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion4')]", + "contentVersion": "[variables('huntingQueryVersion1')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_4", + "apiVersion": "2022-10-01", + "name": "DigitalGuardianDLP_Hunting_Query_1", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Digital Guardian - Insecure file transfer sources", + "displayName": "Digital Guardian - Incident domains", "category": "Hunting Queries", - "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where NetworkApplicationProtocol in~ ('HTTP', 'FTP')\n| project SrcUserName, SrcIpAddr, DstIpAddr, DstPortNumber, File=inspected_document\n| extend AccountCustomEntity = SrcUserName\n", + "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(http_url)\n| extend u = parse_url(http_url)\n| extend domain=u.Host\n| summarize count() by tostring(domain), SrcUserName\n| extend AccountCustomEntity = SrcUserName\n", "version": 2, "tags": [ { "name": "description", - "value": "Query searches for insecure file transfer sources." + "value": "Query searches for incident domains." }, { "name": "tactics", @@ -1677,13 +1910,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 4", - "parentId": "[variables('huntingQueryId4')]", - "contentId": "[variables('_huntingQuerycontentId4')]", + "description": "DigitalGuardianDLP Hunting Query 1", + "parentId": "[variables('huntingQueryId1')]", + "contentId": "[variables('_huntingQuerycontentId1')]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion4')]", + "version": "[variables('huntingQueryVersion1')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -1702,58 +1935,51 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 5 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId1')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Incident domains", + "contentProductId": "[variables('_huntingQuerycontentProductId1')]", + "id": "[variables('_huntingQuerycontentProductId1')]", + "version": "[variables('huntingQueryVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianInspectedFiles_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianFilesSentByUsers_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion5')]", + "contentVersion": "[variables('huntingQueryVersion2')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_5", + "apiVersion": "2022-10-01", + "name": "DigitalGuardianDLP_Hunting_Query_2", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Digital Guardian - Inspected files", + "displayName": "Digital Guardian - Files sent by users", "category": "Hunting Queries", - "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(inspected_document)\n| project SrcUserName, DstUserName, File=inspected_document, MatchedPolicies\n| extend AccountCustomEntity = SrcUserName\n", + "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(inspected_document)\n| summarize Files = makeset(inspected_document) by SrcUserName\n| extend AccountCustomEntity = SrcUserName\n", "version": 2, "tags": [ { "name": "description", - "value": "Query searches for inspected files." + "value": "Query searches for files sent by users." }, { "name": "tactics", @@ -1769,13 +1995,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 5", - "parentId": "[variables('huntingQueryId5')]", - "contentId": "[variables('_huntingQuerycontentId5')]", + "description": "DigitalGuardianDLP Hunting Query 2", + "parentId": "[variables('huntingQueryId2')]", + "contentId": "[variables('_huntingQuerycontentId2')]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion5')]", + "version": "[variables('huntingQueryVersion2')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -1794,58 +2020,51 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 6 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId2')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Files sent by users", + "contentProductId": "[variables('_huntingQuerycontentProductId2')]", + "id": "[variables('_huntingQuerycontentProductId2')]", + "version": "[variables('huntingQueryVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianNewIncidents_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianIncidentsByUser_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion6')]", + "contentVersion": "[variables('huntingQueryVersion3')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_6", + "apiVersion": "2022-10-01", + "name": "DigitalGuardianDLP_Hunting_Query_3", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Digital Guardian - New incidents", + "displayName": "Digital Guardian - Users' incidents", "category": "Hunting Queries", - "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(IncidentStatus)\n| extend inc_act = split(IncidentStatus, ',')\n| where inc_act has 'New'\n| extend AccountCustomEntity = SrcUserName\n", + "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(IncidentStatus)\n| where IncidentStatus has 'New'\n| summarize makeset(IncidentsUrl) by SrcUserName\n| extend AccountCustomEntity = SrcUserName\n", "version": 2, "tags": [ { "name": "description", - "value": "Query searches for new incidents." + "value": "Query searches for users' incidents." }, { "name": "tactics", @@ -1861,13 +2080,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 6", - "parentId": "[variables('huntingQueryId6')]", - "contentId": "[variables('_huntingQuerycontentId6')]", + "description": "DigitalGuardianDLP Hunting Query 3", + "parentId": "[variables('huntingQueryId3')]", + "contentId": "[variables('_huntingQuerycontentId3')]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion6')]", + "version": "[variables('huntingQueryVersion3')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -1886,58 +2105,51 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 7 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId3')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Users' incidents", + "contentProductId": "[variables('_huntingQuerycontentProductId3')]", + "id": "[variables('_huntingQuerycontentProductId3')]", + "version": "[variables('huntingQueryVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianRareDestinationPorts_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianInsecureProtocolSources_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion7')]", + "contentVersion": "[variables('huntingQueryVersion4')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_7", + "apiVersion": "2022-10-01", + "name": "DigitalGuardianDLP_Hunting_Query_4", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Digital Guardian - Rare destination ports", + "displayName": "Digital Guardian - Insecure file transfer sources", "category": "Hunting Queries", - "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| summarize count() by DstIpAddr, DstPortNumber\n| order by count_ asc\n| top 10 by count_\n| extend IPCustomEntity = DstIpAddr\n", + "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where NetworkApplicationProtocol in~ ('HTTP', 'FTP')\n| project SrcUserName, SrcIpAddr, DstIpAddr, DstPortNumber, File=inspected_document\n| extend AccountCustomEntity = SrcUserName\n", "version": 2, "tags": [ { "name": "description", - "value": "Query searches for rare destination ports." + "value": "Query searches for insecure file transfer sources." }, { "name": "tactics", @@ -1953,13 +2165,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 7", - "parentId": "[variables('huntingQueryId7')]", - "contentId": "[variables('_huntingQuerycontentId7')]", + "description": "DigitalGuardianDLP Hunting Query 4", + "parentId": "[variables('huntingQueryId4')]", + "contentId": "[variables('_huntingQuerycontentId4')]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion7')]", + "version": "[variables('huntingQueryVersion4')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -1978,58 +2190,51 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 8 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId4')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Insecure file transfer sources", + "contentProductId": "[variables('_huntingQuerycontentProductId4')]", + "id": "[variables('_huntingQuerycontentProductId4')]", + "version": "[variables('huntingQueryVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianRareNetworkProtocols_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianInspectedFiles_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion8')]", + "contentVersion": "[variables('huntingQueryVersion5')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_8", + "apiVersion": "2022-10-01", + "name": "DigitalGuardianDLP_Hunting_Query_5", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Digital Guardian - Rare network protocols", + "displayName": "Digital Guardian - Inspected files", "category": "Hunting Queries", - "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(NetworkApplicationProtocol)\n| summarize count() by SrcIpAddr, SrcUserName\n| order by count_ asc\n| top 10 by count_\n| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr\n", + "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(inspected_document)\n| project SrcUserName, DstUserName, File=inspected_document, MatchedPolicies\n| extend AccountCustomEntity = SrcUserName\n", "version": 2, "tags": [ { "name": "description", - "value": "Query searches rare network protocols." + "value": "Query searches for inspected files." }, { "name": "tactics", @@ -2045,13 +2250,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 8", - "parentId": "[variables('huntingQueryId8')]", - "contentId": "[variables('_huntingQuerycontentId8')]", + "description": "DigitalGuardianDLP Hunting Query 5", + "parentId": "[variables('huntingQueryId5')]", + "contentId": "[variables('_huntingQuerycontentId5')]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion8')]", + "version": "[variables('huntingQueryVersion5')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -2070,58 +2275,51 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName9')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 9 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId5')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Inspected files", + "contentProductId": "[variables('_huntingQuerycontentProductId5')]", + "id": "[variables('_huntingQuerycontentProductId5')]", + "version": "[variables('huntingQueryVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName9'),'/',variables('huntingQueryVersion9'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianRareUrls_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianNewIncidents_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion9')]", + "contentVersion": "[variables('huntingQueryVersion6')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_9", + "apiVersion": "2022-10-01", + "name": "DigitalGuardianDLP_Hunting_Query_6", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Digital Guardian - Rare Urls", + "displayName": "Digital Guardian - New incidents", "category": "Hunting Queries", - "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(http_url)\n| summarize count() by SrcUserName, http_url\n| order by count_ asc\n| top 10 by count_\n| extend AccountCustomEntity = SrcUserName\n", + "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(IncidentStatus)\n| extend inc_act = split(IncidentStatus, ',')\n| where inc_act has 'New'\n| extend AccountCustomEntity = SrcUserName\n", "version": 2, "tags": [ { "name": "description", - "value": "Query searches for rare Urls." + "value": "Query searches for new incidents." }, { "name": "tactics", @@ -2137,13 +2335,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 9", - "parentId": "[variables('huntingQueryId9')]", - "contentId": "[variables('_huntingQuerycontentId9')]", + "description": "DigitalGuardianDLP Hunting Query 6", + "parentId": "[variables('huntingQueryId6')]", + "contentId": "[variables('_huntingQuerycontentId6')]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion9')]", + "version": "[variables('huntingQueryVersion6')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -2162,58 +2360,51 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName10')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 10 with template", - "displayName": "Digital Guardian Data Loss Prevention Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId6')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - New incidents", + "contentProductId": "[variables('_huntingQuerycontentProductId6')]", + "id": "[variables('_huntingQuerycontentProductId6')]", + "version": "[variables('huntingQueryVersion6')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName10'),'/',variables('huntingQueryVersion10'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName7')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianUrlByUser_HuntingQueries Hunting Query with template version 2.0.1", + "description": "DigitalGuardianRareDestinationPorts_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion10')]", + "contentVersion": "[variables('huntingQueryVersion7')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_10", + "apiVersion": "2022-10-01", + "name": "DigitalGuardianDLP_Hunting_Query_7", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Digital Guardian - Urls used", + "displayName": "Digital Guardian - Rare destination ports", "category": "Hunting Queries", - "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(http_url)\n| project SrcUserName, DstUserName, URL=http_url, MatchedPolicies\n| extend AccountCustomEntity = SrcUserName\n", + "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| summarize count() by DstIpAddr, DstPortNumber\n| order by count_ asc\n| top 10 by count_\n| extend IPCustomEntity = DstIpAddr\n", "version": 2, "tags": [ { "name": "description", - "value": "Query searches for URLs used." + "value": "Query searches for rare destination ports." }, { "name": "tactics", @@ -2229,13 +2420,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]", "properties": { - "description": "Digital Guardian Data Loss Prevention Hunting Query 10", - "parentId": "[variables('huntingQueryId10')]", - "contentId": "[variables('_huntingQuerycontentId10')]", + "description": "DigitalGuardianDLP Hunting Query 7", + "parentId": "[variables('huntingQueryId7')]", + "contentId": "[variables('_huntingQuerycontentId7')]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion10')]", + "version": "[variables('huntingQueryVersion7')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -2254,59 +2445,59 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('parserTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, - "properties": { - "description": "DigitalGuardianDLPEvent Data Parser with template", - "displayName": "DigitalGuardianDLPEvent Data Parser template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId7')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Rare destination ports", + "contentProductId": "[variables('_huntingQuerycontentProductId7')]", + "id": "[variables('_huntingQuerycontentProductId7')]", + "version": "[variables('huntingQueryVersion7')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName8')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianDLPEvent Data Parser with template version 2.0.1", + "description": "DigitalGuardianRareNetworkProtocols_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserVersion1')]", + "contentVersion": "[variables('huntingQueryVersion8')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[variables('_parserName1')]", - "apiVersion": "2020-08-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "DigitalGuardianDLP_Hunting_Query_8", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "DigitalGuardianDLP Data Parser", - "category": "Samples", - "functionAlias": "DigitalGuardianDLPEvent", - "query": "\nSyslog\r\n| where SyslogMessage contains 'managed_device_id' and SyslogMessage contains 'number_of_incidents'\r\n| mv-apply ExtractedFields = extract_all(@'\\s(?P[a-zA-Z0-9-_]+)=\\\"?(?P[a-zA-Z0-9-_:/@.,#{}>< ]+)\\\"?', dynamic([\"key\",\"value\"]), SyslogMessage) on (\r\n project packed = pack(tostring(ExtractedFields[0]), tostring(ExtractedFields[1]))\r\n | summarize bag = make_bag(packed)\r\n)\r\n| evaluate bag_unpack(bag)\r\n| extend EventEndTime=todatetime(timestamp)\r\n| project-away timestamp\r\n| project-rename DvcAvtion=action_taken\r\n , DstUserName=destination\r\n , DstIpAddr=destination_ip\r\n , DstPortNumber=destination_port\r\n , IncidentId=incident_id\r\n , IncidentStatus=incident_status\r\n , IncidentsUrl=incidents_url\r\n , MatchedPolicies=matched_policies_by_severity\r\n , EventCount=number_of_incidents\r\n , NetworkApplicationProtocol=protocol\r\n , SrcUserName=source\r\n , SrcIpAddr=source_ip\r\n , SrcPortNumber=source_port\r\n", - "version": 1, + "eTag": "*", + "displayName": "Digital Guardian - Rare network protocols", + "category": "Hunting Queries", + "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(NetworkApplicationProtocol)\n| summarize count() by SrcIpAddr, SrcUserName\n| order by count_ asc\n| top 10 by count_\n| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr\n", + "version": 2, "tags": [ { "name": "description", - "value": "DigitalGuardianDLP Data Parser" + "value": "Query searches rare network protocols." + }, + { + "name": "tactics", + "value": "Exfiltration" + }, + { + "name": "techniques", + "value": "T1048" } ] } @@ -2314,18 +2505,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", - "dependsOn": [ - "[variables('_parserName1')]" - ], + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]", "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", - "kind": "Parser", - "version": "[variables('parserVersion1')]", + "description": "DigitalGuardianDLP Hunting Query 8", + "parentId": "[variables('huntingQueryId8')]", + "contentId": "[variables('_huntingQuerycontentId8')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion8')]", "source": { - "name": "Digital Guardian Data Loss Prevention", "kind": "Solution", + "name": "Digital Guardian Data Loss Prevention", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2341,254 +2530,73 @@ } } ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2021-06-01", - "name": "[variables('_parserName1')]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "DigitalGuardianDLP Data Parser", - "category": "Samples", - "functionAlias": "DigitalGuardianDLPEvent", - "query": "\nSyslog\r\n| where SyslogMessage contains 'managed_device_id' and SyslogMessage contains 'number_of_incidents'\r\n| mv-apply ExtractedFields = extract_all(@'\\s(?P[a-zA-Z0-9-_]+)=\\\"?(?P[a-zA-Z0-9-_:/@.,#{}>< ]+)\\\"?', dynamic([\"key\",\"value\"]), SyslogMessage) on (\r\n project packed = pack(tostring(ExtractedFields[0]), tostring(ExtractedFields[1]))\r\n | summarize bag = make_bag(packed)\r\n)\r\n| evaluate bag_unpack(bag)\r\n| extend EventEndTime=todatetime(timestamp)\r\n| project-away timestamp\r\n| project-rename DvcAvtion=action_taken\r\n , DstUserName=destination\r\n , DstIpAddr=destination_ip\r\n , DstPortNumber=destination_port\r\n , IncidentId=incident_id\r\n , IncidentStatus=incident_status\r\n , IncidentsUrl=incidents_url\r\n , MatchedPolicies=matched_policies_by_severity\r\n , EventCount=number_of_incidents\r\n , NetworkApplicationProtocol=protocol\r\n , SrcUserName=source\r\n , SrcIpAddr=source_ip\r\n , SrcPortNumber=source_port\r\n", - "version": 1 - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", - "dependsOn": [ - "[variables('_parserId1')]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", - "kind": "Parser", - "version": "[variables('parserVersion1')]", - "source": { - "kind": "Solution", - "name": "Digital Guardian Data Loss Prevention", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Digital Guardian Data Loss Prevention data connector with template", - "displayName": "Digital Guardian Data Loss Prevention template" + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId8')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Rare network protocols", + "contentProductId": "[variables('_huntingQuerycontentProductId8')]", + "id": "[variables('_huntingQuerycontentProductId8')]", + "version": "[variables('huntingQueryVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Digital Guardian Data Loss Prevention data connector with template version 2.0.1", + "description": "DigitalGuardianRareUrls_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", + "contentVersion": "[variables('huntingQueryVersion9')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "DigitalGuardianDLP_Hunting_Query_9", "location": "[parameters('workspace-location')]", - "kind": "GenericUI", "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Digital Guardian Data Loss Prevention", - "publisher": "Digital Guardian", - "descriptionMarkdown": "[Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "DigitalGuardianDLPEvent", - "baseQuery": "DigitalGuardianDLPEvent" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Clients (Source IP)", - "query": "DigitalGuardianDLPEvent\n | where notempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "Syslog (DigitalGuardianDLPEvent)", - "lastDataReceivedQuery": "DigitalGuardianDLPEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "DigitalGuardianDLPEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false + "eTag": "*", + "displayName": "Digital Guardian - Rare Urls", + "category": "Hunting Queries", + "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(http_url)\n| summarize count() by SrcUserName, http_url\n| order by count_ asc\n| top 10 by count_\n| extend AccountCustomEntity = SrcUserName\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches for rare Urls." }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "write permission is required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] + { + "name": "tactics", + "value": "Exfiltration" }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Follow these steps to configure Digital Guardian to forward logs via Syslog:\n\n1.1. Log in to the Digital Guardian Management Console.\n\n1.2. Select **Workspace** > **Data Export** > **Create Export**.\n\n1.3. From the **Data Sources** list, select **Alerts** or **Events** as the data source.\n\n1.4. From the **Export type** list, select **Syslog**.\n\n1.5. From the **Type list**, select **UDP** or **TCP** as the transport protocol.\n\n1.6. In the **Server** field, type the IP address of your Remote Syslog server.\n\n1.7. In the **Port** field, type 514 (or other port if your Syslog server was configured to use non-default port).\n\n1.8. From the **Severity Level** list, select a severity level.\n\n1.9. Select the **Is Active** check box.\n\n1.9. Click **Next**.\n\n1.10. From the list of available fields, add Alert or Event fields for your data export.\n\n1.11. Select a Criteria for the fields in your data export and click **Next**.\n\n1.12. Select a group for the criteria and click **Next**.\n\n1.13. Click **Test Query**.\n\n1.14. Click **Next**.\n\n1.15. Save the data export.", - "title": "1. Configure Digital Guardian to forward logs via Syslog to remote server where you will install the agent." - }, - { - "description": "Install the agent on the Server to which the logs will be forwarded.\n\n> Logs on Linux or Windows servers are collected by **Linux** or **Windows** agents.", - "instructions": [ - { - "parameters": { - "title": "Choose where to install the Linux agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Linux Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Linux Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ], - "title": "2. Install and onboard the agent for Linux or Windows" - }, - { - "instructions": [ - { - "parameters": { - "title": "Choose where to install the Windows agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Windows Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Windows Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table.", - "title": "3. Check logs in Microsoft Sentinel" - } - ] - } + { + "name": "techniques", + "value": "T1048" + } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", + "description": "DigitalGuardianDLP Hunting Query 9", + "parentId": "[variables('huntingQueryId9')]", + "contentId": "[variables('_huntingQuerycontentId9')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion9')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -2607,210 +2615,125 @@ } } ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Digital Guardian Data Loss Prevention", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId9')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Rare Urls", + "contentProductId": "[variables('_huntingQuerycontentProductId9')]", + "id": "[variables('_huntingQuerycontentProductId9')]", + "version": "[variables('huntingQueryVersion9')]" } }, { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "kind": "GenericUI", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], "properties": { - "connectorUiConfig": { - "title": "Digital Guardian Data Loss Prevention", - "publisher": "Digital Guardian", - "descriptionMarkdown": "[Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "DigitalGuardianDLPEvent", - "baseQuery": "DigitalGuardianDLPEvent" - } - ], - "dataTypes": [ - { - "name": "Syslog (DigitalGuardianDLPEvent)", - "lastDataReceivedQuery": "DigitalGuardianDLPEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "DigitalGuardianDLPEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Clients (Source IP)", - "query": "DigitalGuardianDLPEvent\n | where notempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "write permission is required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Follow these steps to configure Digital Guardian to forward logs via Syslog:\n\n1.1. Log in to the Digital Guardian Management Console.\n\n1.2. Select **Workspace** > **Data Export** > **Create Export**.\n\n1.3. From the **Data Sources** list, select **Alerts** or **Events** as the data source.\n\n1.4. From the **Export type** list, select **Syslog**.\n\n1.5. From the **Type list**, select **UDP** or **TCP** as the transport protocol.\n\n1.6. In the **Server** field, type the IP address of your Remote Syslog server.\n\n1.7. In the **Port** field, type 514 (or other port if your Syslog server was configured to use non-default port).\n\n1.8. From the **Severity Level** list, select a severity level.\n\n1.9. Select the **Is Active** check box.\n\n1.9. Click **Next**.\n\n1.10. From the list of available fields, add Alert or Event fields for your data export.\n\n1.11. Select a Criteria for the fields in your data export and click **Next**.\n\n1.12. Select a group for the criteria and click **Next**.\n\n1.13. Click **Test Query**.\n\n1.14. Click **Next**.\n\n1.15. Save the data export.", - "title": "1. Configure Digital Guardian to forward logs via Syslog to remote server where you will install the agent." - }, + "description": "DigitalGuardianUrlByUser_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion10')]", + "parameters": {}, + "variables": {}, + "resources": [ { - "description": "Install the agent on the Server to which the logs will be forwarded.\n\n> Logs on Linux or Windows servers are collected by **Linux** or **Windows** agents.", - "instructions": [ - { - "parameters": { - "title": "Choose where to install the Linux agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Linux Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Linux Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "DigitalGuardianDLP_Hunting_Query_10", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Digital Guardian - Urls used", + "category": "Hunting Queries", + "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(http_url)\n| project SrcUserName, DstUserName, URL=http_url, MatchedPolicies\n| extend AccountCustomEntity = SrcUserName\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches for URLs used." }, - "type": "InstructionStepsGroup" - } - ], - "title": "2. Install and onboard the agent for Linux or Windows" - }, - { - "instructions": [ - { - "parameters": { - "title": "Choose where to install the Windows agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Windows Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Windows Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] + { + "name": "tactics", + "value": "Exfiltration" }, - "type": "InstructionStepsGroup" - } - ] + { + "name": "techniques", + "value": "T1048" + } + ] + } }, { - "description": "Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table.", - "title": "3. Check logs in Microsoft Sentinel" + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]", + "properties": { + "description": "DigitalGuardianDLP Hunting Query 10", + "parentId": "[variables('huntingQueryId10')]", + "contentId": "[variables('_huntingQuerycontentId10')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion10')]", + "source": { + "kind": "Solution", + "name": "Digital Guardian Data Loss Prevention", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution." - } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId10')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Urls used", + "contentProductId": "[variables('_huntingQuerycontentProductId10')]", + "id": "[variables('_huntingQuerycontentProductId10')]", + "version": "[variables('huntingQueryVersion10')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.1", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "Digital Guardian Data Loss Prevention", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Digital Guardian Data Loss Prevention (DLP) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Agent-based log collection (Syslog)
  2. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { "kind": "Solution", - "name": "Digital Guardian Data Loss Prevention", + "name": "DigitalGuardianDLP", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2826,6 +2749,16 @@ "dependencies": { "operator": "AND", "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "Parser", + "contentId": "[variables('_parserContentId1')]", + "version": "[variables('parserVersion1')]" + }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", @@ -2930,16 +2863,6 @@ "kind": "HuntingQuery", "contentId": "[variables('_huntingQuerycontentId10')]", "version": "[variables('huntingQueryVersion10')]" - }, - { - "kind": "Parser", - "contentId": "[variables('_parserContentId1')]", - "version": "[variables('parserVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" } ] }, From 898d52256e51ddb37cbae7de6e868d9166d1c690 Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Mon, 9 Oct 2023 18:14:34 +0530 Subject: [PATCH 3/5] updated createUiDefinition and added Release Notes --- .../DigitalGuardianDLP/Package/3.0.0.zip | Bin 16038 -> 16474 bytes .../Package/createUiDefinition.json | 6 +- .../Package/mainTemplate.json | 1454 ++++++++--------- Solutions/DigitalGuardianDLP/ReleaseNotes.md | 5 + .../DigitalGuardianDLP/SolutionMetadata.json | 2 +- 5 files changed, 736 insertions(+), 731 deletions(-) create mode 100644 Solutions/DigitalGuardianDLP/ReleaseNotes.md diff --git a/Solutions/DigitalGuardianDLP/Package/3.0.0.zip b/Solutions/DigitalGuardianDLP/Package/3.0.0.zip index 6a20da13b3462ee5b9fdb03a8065ed0a04e68c89..070b5fb1ef02c8389550710d295480a919bf70dd 100644 GIT binary patch literal 16474 zcmb81V{~Lu)9+*3?%4Lkwr$%sCbn%m6Wf|hoJ?%nHg4v5?w9-CbwAwh5BqeVQ~Uhu zw`b?M*4W9^(8W~MQpD8E($3Pw z(%z2V%Gus-L&w`5w;lPbSD+WP0He<2*zkxxE&K0!Kjx8>V9xx*-ffsEUb(K+Zbs*N zybetVs{p?=zZSow`G~KTdIP$5$-J0>$EchpM+S#>^tHrEE;Z zeZRrB)+;dlNiaAqtM99LwZ>MG;A|PB_s7R)l3wvLym@24^zU**O#9g7^ssdY?8mL) zfouJs&nvA^e@oX39c7%?K&tFBx~JrMC!5zWxAOrg=o@%t90;M^SrbWj5p?);VB-Ae zVA+}DQHKc%Pf%9JkK8Z86vP-~YSuF|UXsf8vZ$e%W0nglf((MH!XiP9J0-=#`!na%gUt!r=x~Uzb2UN~QdnT`yIa24vy7YyL(Irl~WI-qW$YD?A z9{54GKj7nHpqiAQW`-%vTO~#Tg1I^N0Hf*@uYu^LIWXV1E(|#R?AJ5 zUg>3$UTLI=2I8cX9ZL$ZQg;jc;K9VBGEYm05|i0;0!?cT79rz1_D|xqgQcdk7mrQc zKqEU91^|^an-gOtGFy7;o zQ{HF}8Pv^Wq1w^Zcqrle##;wHjvnlQksk}r81PjRSOf#TX`*FMvaz~K07K8t!A@ugFhe1tygfB} zFSWOWuZ*K%S;*ot z0K}|D!0pIqT=Zp{5Qw&v>R-&hVBh%LCVo;U+jS*Mr3;#kSOU>3-x*&q?nE$oiZ8z| z7rW{fy(lHL&P-bnjt2aR_5h1Vx-~Lb{blf|a4h)V;#Y@3NHLZz2Dby#A)f~cy;H9P z067t1mW)M=94`BJe0^fTgR=;aEMci+X(Wn!p0rT2UE3i^|7?gm^jU?VJ`J`w`X`lG znmV9e3{JRK(a|ygetJL7W!uMcI$u#|Pgnv^!7l#h`P!FUDuIS2PUDB{sKExmO26Sy zzhq2e;d^TGZgvqG9WMVL9fLq2u{#}Otb+<7IMV@#;4xlV7lCS&a5F58bbTD$fsiO| z&ewyXQt3)M4Nj&xH_3<#IRM$Y%M+LSuZBwgJ}%2s0p^r+!e+f*E(Q|RSz4B6mVtMm zIJdt)42dt@-C;Hz)FEFJ#JbW*Js5J&c~{OZc&{!lu7Czz7bi6;8+XrRA$+KUfNp0= z$cjiLaHQq~W77q0y;%EDF6%4Mdd799t9=cA=rBKk!1$#9{ZnlA9cLgH^umfiMSzjL zWF;($2=|yejFitfC%#f(7~9zl1d3WfP1f4Qz01ylxN|YWF!no3gP1=Vz=loCT)WEYb8fK>|GgGSm9fw%7Yt7a4{RR4Z zT?sEDGPyej4e!fT+u8|_(H$&@cAKj?GCO-L<6Mw-Dp)F@ep?g_&LE2%^X8=VH`aTb z*i)x)9Ud9Jw_gqPe3*c7*xilug~r%Ib{jS|W7bn2wf1YU0P^{^xW5rAgz#chZ*BhL z-nvfJhPbFkX7aq@kLgT*xSAzg^`Bubq(2F)8PBI3kDaWjITsLXb%BN-l1d*UljdE~ zjD^YU<8B3H2XdX2IjNr^R-0ULQFLYp%Qqrv`8K(5pLb+)8O* zgx>FR7Esoj*DVD#!}&1D2I!exM(1lKYP1qBkECpICmJ$Y)6pRwr0Y!Ybo}Mqvl%4N z#SK$7TkQy12%$nn&KOUZF$fW-&MIq%iqc|J(cxr}5)W^T#SZW>>Q z_diY6HEdnHpgnnos;m7a5P-|>*w137vuo_p2X$-eOwbvz*oEUuBUZ_(gAQ0i99enn z<|70wy7^lQ)a0D!0=MT5x`H|luY4!8akBYjwnC!`Sk zv#js_ifiU!%M?tYHUIJ^IIQZAyPAFrc*1?s&z1;zIFgy&S~rxxF*w8c>Ir+r4Ig{a zs}4KsIt<++?c_|m042VW05u%tx%al0A{s|aN$6z_H6O603k7H<1?|<4d=;wiOnVjh z(#_S@XT6}z^}dFK1JuW*QQC^!%{|Oaizxt`%knLDHZ5Aa@L5k;@R^vie%M0MrW);L zUQ$&|_nVI&hi47;F(bI_*R5G>4#m&#pU3Yqe7yWS$&0t7TbibQXbBJUx$O zP}=xsJ;T1Q3)t?0|0e7-n|xEIt+7vf?zes4ShVHo2wKKvzi%{yx2+u$1)0X;xh#5E zZ|B}*@OA*@U+V}6Lf^GpuA9zcJCB%u>`KV)=H(wnkr28$+z!Hhd|8CY{e|Q{82Ztp zIj9$WZoGfG6Js0Pv(>>X9|xlr&6XNh7pS=jGF`f!g;FC)c>_1zP_LD-Q5ab>^%PGqgG+n3u>6%AOI9WKmn z|G=o>P7NPh*jG(HTTC9$_Vo=p2L+qNYDZAb@cwHlICttC%gWA zhNsh&?q0~tsprw|M$u!#8q*~R=cY3MAJE*X?xL&JW6QRwcb3$xx*5A`5R6OkOyHTv z({VN+9Q6>tc`U28bl(7&_0gx47$6I8@N*oX->@kBR`;wrRQ^f1dj;x;xY=Y+*92hF zYcy#~HD*=&{_`VNZ3>7ZQkCHB+Z-Sz7wAW41uAIIipFI-%0Jz07Ow+ax)c53odycq z;&3?N0o2(_AzSOaN9dPm;QZOP5CUu5O69=ul__tEBo#Z#a8bqa*j-9l3qe_evyW4Z z81cncrhfC3R?j0tg~vi{VA&V=skE?yl&3|*(sO_4%LU#5%B&#ibh-8OgonHL%cHMf z!Rg=h!w6s$(wRN!huBiW0MW5?xJFm4R`fXL-0Tj5j$+%5dyQKDuyIh$anH>)f zW4c)o>uEp}?0$UYv}ML{h97H|Pj2U_mPbDNsZzWU)X0?Gfpx zxjpkx7dMr!eor1w?1G%AZBTmq_wW*R^pJCi5Fbh}-WG?GQw~j%q5t=@ot(uVMLe%h z&ZG$HqZj*d{#XhJbxl3DQ7DGen_7k$H$ILKNEA5R(E!L5qTm zqAf6>V$jP+2!EXd=oFo2rZ1lm5$#u987kKEGq7xPR6gm>5MKx>ontuqv3T!p?&%-1 zp@tKK!RU0a5<5cWOI4pRaZZ-U^bSl~R1mbl^eEs1RH~le!E5Cb8N)q=fUQX!TZGTv?AlGoTdXUZOlAmm} zPxL@8qljbe1bl%w~ss>AXpCzD2VbT=89 zcljv##O$2@6o>$4K!q)}g<8S34s9+DU@xNRcBsxI>S3nmgl`03C=`hzDuaRKRWihPtQ=S=__LE4%DgZ$R6ggI zI}2X%4`Dhk??(y2OC297_+kz?wy_V~iSwqEAUG%Rv6bJ|ts}TMldNOsm?1AXM9`h2 z!hbpIXfxA^C*b)qI>1{CsI1urbgn{QR$^VA4)4^sg?4rnIjE}#bauQssCV{vSF(qR zoI$yZap0_iVww#hZA6fr1SQaBgqlg#*zWC&u-6-A(K#$}_3NSz>aKCFH%~b%xuIRI zQhyJCOD&Ez^@YRuWBi?|<8bLZ>y^;rQyhpkL>uU&0;&pn^2|tEQN_@2d+vT+%t75P z&h>|Hdv~(9|;2m=m3>mQWb4*olCUPgXk1# zfo!AWNMfCj^bob9WE;i(!*kI?a;$8*>d@&s&w|f2*i$`hx0`D<5B|(HNdeoDXZXGa zi?SI3TP<2?nwKoMA`7;< zOUgUgKEhkl;aH|J9#di&GvhpLUY)|9l}N8#5c(Rg@~W~{?o$KzsurejeurMEEYyu4 zajk!fs@BQd#3d-;456MkSTlx1x&zw(dkq(8u&GV*M=mAoLA`%)0EU@+IRn@Qu_~x9Ry7f=d)ZE6eBe=;qrmT?^v9K*+VO5fhR_;i22#1@*7ywtT z#1pu2xxdgMQgFMD@QeR{wKRgoDRnP$155lwCo0l5wq1 zkEZ&zV#vUrx|$DaIcCaWOG?)jzHaHXQr1AftfoV^?ryA-hqN^)M_KLQapaisFHz_q z>u{(h*9OUfJv{mxJGy#{tobs? zqn2cfJQ;+yvgCtcpPd`Tn;Lbc_4geVZ9(3+&=)QObJP_Mh}!YbvjeGH#l_6EJq+5H z6VV{Y6XgsZV^w`gv1=?lhT~^!!RQQX(N+FK9$n>|yxKqVx&O#N%>N@V|Bw8E%74hy zlsR?EK(UD~vQ75S0v#SF(j)40B>n6;2FAQEup4i)C01rAgBihrk(ND}hZOWF$y^0{ zxlmDF>htOTK74JitXLD}ZA~Bh?IP;PXe~0(g`nZj!SBic5tu+XscL8q*iA$Lzx2~h zU#KebRCnc!A{D|PdQnL&8&<5iCdc%b@O0g5DO-7ap&ds`xqNgzGM3sG|D41Oh264dJjXqO|Ui}R*t?l6(_;qba* zpc|<9dj6Rvh{T9a7Y#Day7MEe*CNm@dkhMe|MzHKDz`zW1#5_@eeX z_Rx&tvTP|~+K;836y^Xp1mASkCAHsfJZj{`l68>KK@gl=K$m1UJmxHBxy&$lxquO2 zki@HZ?l-bm9p~7l9~G{Zoxuv-PV1HulvMvT?u993nml^^{gB)P8Ga^t5b$$zAm5J z8q(`VaCc-r6ALb_+xzAC^^ONk?h1QAm1aiGe7a2564gsAw;UiC^Dmdfj-%KG(bEPi7LEey3SB zUOR@r3%aD!sjVt8I}V)jD@S}6U|L0%fs{mY2wcUE0r<;lmU>pgOmh&G98Ce+p+9E8 z-60z2tz_9~RWa6S${h#MfTin>AJ`5lbKL#?L7NnPIAm%0o=WG2bo}eyRgIjmd(0C! zyInT24iwon_^P^J8#_S$kOc!JM=FVxEC!CD$fO6K$M)UT)DE6mfBFA~J4{7^CnXh9 z2S#e>MCJll*MGk0Cz6sk38rCowTwj8DGTo%{`$);HrJqukbIARwkEc6cc7E`1daGm%_7M}Zt^{0fu zA-*Ea^Kam=RrVVh`tJY=?TO2vABRZ|&Lw*YoW+rIZ5(ft&U?^%i!n}|2D3`@{Q z`O(a;G>C8O<6=1+)tR(dYVCM%Xw8;g4M%+3{G5PhrjOJrL7h18%lXudUz#8s`pt#o zSfp{s<6MO=gTkN`(9)v?je7f#F8D}W_&T9eFYg&=10+0Tngipq*Q$ibLMQJaiZCdm z`wTI}kQ1pRhyyCQqc5Q2kHeovX3D_rOhZUNWl_W89nQ%>C|8RAxbFD*S5v~W3qGzFHV$RJ*O6_qq+6unxV_beoD>Wccam$795T0VP z&QB|N&V*JoWlR*-C6mi$FO)5Ig7mJ{w~ql~J6AKjUedXjeh zhd4|Q;x#Am)jjtwyw8sOA6oW-0=C_UZ~?MwTLa~y21Y{u7*^hmA*JSDii1r%Z%5#f z>ov1*i?n{x>RH&w_{t%O7rTL@Tz`C7v`S$gOiy7wF9Zj^a4(y?j*TcL6K|oPUJZ3C zk2OAPbCLzOl&0GG#nlzZL%9%-qj2Jc_8ki z_lA)c<+coqOaP)Un(#-v`)srD$Q=g?4F}wH(*wK$TFK|qIL zE&#GCN#*^JW`e;sMI5y;fp@C1>(8ATB)UzHPteRhPqj~Rw8(9^cn#usV;K$~+ z?Oc(`kfsSbUE>_t$klq4Q&5rmucmSo7*!;BFm}x?Wsnej8C3EOehHaW!03Js>W)>%ybT z8#Q2Bc_o_t zhh}N_46EX-2;Dd7!B?=(FZx0tvG{txDsA}1wCbqGrYJI&cg*TYspTbfe4Qa7i0C0} z1Z<``d?gND6BT8s?O?6ldVUl);{wo~KAtYP6WtaIwq z=~p{38xLc`gv?%$esl52L}2)MjOC=zds!$6n~ZXoqE{<>%69Ka;H=k9@?Y4$gke!` z%C<6|o|q2c;- z*9dDll6|6snhd{q%tl#_5?dcpJf8eM1*vWmC=7$i?(TfgIzn5ByekmTQm(chdj@FB zC7=<;Vj$DrBjsmbW*d0cyEcY1WM&<-yykljHd6Nd9G&295l79*B^K5uYkV?paIXa# z@hSAZta)BJx_oTs{(J2vFM1($8EbrTTH?!m>Yb=~ia=VVVz+#j8oetoIx`j}X~>-= zAqLI8Mp5)QTF$k>hu!=(T3#v5Z^CR90zUXul4m7Vo$gn8Q;UVdGW93PZ&nIJ)0?VO zo}aBGuVxt*kan-JCylb{l|Qw`gI=PFhs?XGqN1xj{8g^3==c)^Kn_mo`IWi*Dd?n_ z?bbe7lNg=ZkW@M+1H~m8`F_7@KdIol(Uh8#EQB~4djd^XeiayUv26_iC%Sr!j=rh? zGVk?s5c4v@DeE13;SwKtd=DDSs?Ox08DSIpa_vy@&eK_=SfX6uYj2USLGM_nSR(Lt zl3fef&m4yL-bl25A4S*lbfmR0M;&D|G=JM)e6h z9jU{<(ci3vRy3Mv`F=V zfdDC~5jcuYU~)At`6K=#{F5a6*?_9506GF}C=Bui#%N_V4Gl{#Vv2wu%+Ug5>OjSK zJ<}BRIm7kZ@znKP&~j0jvd!`%S73@;FSz^3RhmCURdPHF+CgzHdsckXD<2KTIpRxW z{0{EBPG3r1n!nzPjyCvRTVt-t-0b9$x-_pkM`lTReclu?^r-$x{M7O`?VNcApUxPw zZ|aFOt7S${4U6v^ox$s4iJ5%dNs_ql2v!Bn0c-y~6>g(Up6Tn5Q|gH||6JO}tSqyy zl#5!-A!?|B#2xelJUnsj3V!BQ->lD8)M3#Tq}PGTmY^AA;Z&mUu7u=AO_DGDoZF*b zRmX8pv_^#r>HuP14z9oi8mjuBxrUZ~-L2`$$6?=V(y#h=*M~gG$zOEloFcJTNm`t< zPA^%V4o`<93?e<4Q)~#^Y+__RV6I29p8;wps2P-~lAq9@sAEl8V~x{|jV1)Wv>9ns zwxeD9e`GjZi4kpOW_X#e^1)3u1Ln_958iQw>8qVR#uz393+oy7(}4+aGmI9AcLBDAVmE=x_X3Po~NS zba$c*<36TR+J`j%+jtX4kESrk6OBUjZR;IsZ zdFEHJSJ$}t>SdBm3mvG&MKsB&{}!7Tc1(%nH2sX=O338pC6^+|AT%beNS*^jEwPzk zR!ogR8P_DQ{E$&`lU^DXLGKH;0!yB86b6whx3_@soV-L*;9g4&unG-$&BA;(VFd)e zFff`UUS6jtD`4xA2yu-GN`^{-xx@r};j||mo6zF?NVe$seHzPnO()NB6Rg!iMO?A1 zR<2XAtkqs7LQi-#fo>?6D1Q=I|5PCSjGhD5Su7oBsHHDQ`gJqwQJBi#AwRw=&u@rN zdij_&!7N_3G&Jj#Wm+BPU9V680m_x7-8+Vb`-%YVksLM@E zB<9OFaP} zWG7}`jUM7=AgNRw$rL#6uS3#wz7?rbg@m+<`ZL`n?Jt1j7zUwqJVRPSbJaEeKD-j- zRObV>M&O?^(4jeJx;?X$t7P^^?=06{nRfnzH|%UGi^FK?BHmKmOBhno53^!N^yi{0 z8pdYq1hwM0u*Z?Pq)s2aTI%G{c(fFzGRp}}64)_VUj&)-sHJZro!gas00k_S5NTX9FkclcAoXSB7L@u-kx7QO6qK|( z=5H4Su7S$d4A}Qp+W~Q-!<>P`MC!J@N;Aj1=(STa;Ap&xCj%!f?yC{eTY<-hri2Tt zN(2%43rrf=4QUY#KwYxZ>r3kGq#u59;W4*3=V>dbx}$EhBl+ZZ^rbtV*2B2xfO~b< zC%BiMV3`H~CjFr8~wP*PPk%o5|alWefZaWURxv#C)|4e+zjH zRf}IbN4VT-Z0p5d2Xtda?S87mzdbRpA!sf$1bld-c$z*LljbuL*1)_$S2W}Clj#v` zw1D18&uUs^+#{Z_rlccp%Lp_z^H0Ao{RXCGj!34Ek-XK&wvU@mS_7*gIvE8HlMca9()Azv*&FAds&22Yj#Y z1=jcK##nD7EC(fxB0GDgzXh5II?nz~#%qH*x`70Tu8Za4bbj}l)7$n2#gaMF4A_^_ z#v%09#K||r+1@^|1d2!y>tOwP458^d$f-wF28<)Hl3D^x3s0EZ$SUw=`SUx)r$H!y z2Q4`C&X^0YGkhn~pWm_^z6ySSOm2V1T`Ic_J*yUd4o>6>V?0PJd=-4ln*5d(9b8rD zr*I2kx6JQxH*mo`lTSRePVjqdkmxlm_J6*W&^Jm?pr6Im1$+~!{3i1AKE+nE*gm00 zV~Y6Wk>un1&d4V;pnX=H`p5M|Q<$f?tNeP6+?-z{yYFTWpA_L>^y^6Exdeg`druuV zpNeKzL{U#<9$yl~wdbYLU}(dGsyBRUZmiMG_=fshe32E=*bCpZCqj{EBHH?X=KBJba&gz$GM0eJ(^9@@g&HE;jJ zo9gi1f&At8PvJ9J_?O22RtPcNO!x`C;N~NeTiMC8=!-nWuzsq}k0CILM4Ag6?+KUx zgI~b|&Oo;qsqoRC7RHcV6+s&C9aI2T830}{k1rw9l|&jJ5O75u$=$3dvybBF_ca=V?zwn-be;!EI2llvpS zmoDaCM1@)xz}1D03$MD>fqC%XV>bH85sIC6c?c)>#eu&SC4qV*(5-&wi3^VCM|nMh z3u#)GS<$z`E8_+DLD%nXIn&cX7xhTD`kg15w)~pD^Mq^BhYgqp{5EVi8`$$Vp|wBX zgto72w1cfV~L*Z!FkCoRsrZrW^ntSMvh@5h*)Sx5qXewqiD+7=_JI;<7YY!z-} z`lgXrefIDBi$C`Rxi!f1(j+}r`FiIyM3tD}>EAK+@Mqv*JB@H24XGRaeiFzFLAdhlJNnu6-dRO zf?@R7G4h%`^*cKz?CpT=2VRPa71r4?k`$?`CI5lMnnK zNB((v#FUaSfiXCIL1x}TDGVIagjZ&kAECQbStYdwS4zSfq6WfhcH|z3oQ44;aPCmN zL;lqhK@NPN>Me=b{b{zeGB0OSOAD&h?4Ij8i|vr@#z*}ZgLyPfWR&87_;BtBTio|~ zeHn?fYxCQk2$KN+95^N#XLdxO)DGuoXYeo7shk_u(JmWK`6-r2KdDa;N>~*vT^@u@ zKBF8i=WwfsqnSqN3%6UT8+P-EY7tSzOzi~P<)_lfhMPSir31%unyP*Prsofyy-bL) z4E01l4Q6`$#A#19A*k-cTO!_2;?${YRdeH4Y%jUq<1M}?;Xdu)rb1%6+gGr%gS;y@Znk zb?anX3p`ggSV}QpCC_+#uneNDscXv$GhTITg$k^Oi$hThQh{bD(@LNcP))JvawnSBm(1$UqmrtUF$^cl_jVe>GxcfHVd`}R6+LWDh*@up zPPA*dK0V3FRHUsWzrW4}?XSALJ%5mzYG72yW*U&Q`(LKHmL|lX>@GeHAU_aj3Py54 zTVMBQ@WKUAa4l(l2+&|&c~|MHKR@EnN zUFL;iUV&mCqQ-4{P`zipg&+y;lsX5n3SKbD`$IyELD28M*_YwZf%vz}LsP zAJx@!X1U^ThY&k+Iz!exQOXY(xcWYAmb@tkrH#%1j=Ek7oQFHvkUaU2T+wClp$kFq zz-S$KH+jEc^FW49%oS|gMrO{&~z4Ov`GEI>yS&mgyAf$nA0L-l-O~bJxv8`-hvG}(O*bR z{a=Rk8M3zo{hU3ZVTd><$(ibxbqvCX-Y;F{M+tW%ku4I~dsM!NQFnZ8N7hAbo!RcP z_xPu#WPj(Yx-SZ>Hpw7Sj!hc~r%3X-4u7d21Gf+c3kQR6N51IZ4iH4uZ02+SLDbd! z;hFgtMTFj%VF);j*o&yd18LQ`Kz&n*8a*sjs;kGXt4yuR<%!|gH^KU+p2j<>nj_j* zEdFM+*G0iVnqx+F66Ogmo&OQ<*e^VUzzRXf&7#~XW)WAs^Si^wkSr3Mda4=fA1=Ne z)Rpv93wF0bN9xIW)28U4^7=vyLU=BU1;@a}iOGU^u%foa**Aa+gjc77 zj^aK>ELsPk6?^h50yD20+QyXc?@$a-V6H#^|W zoC%IxpeQi;oxDJ89}*jqP{vJ%!3;Q#{1`m_QnmAe_ICs>*(+#O1%VetC7NG#!JDMP z!;<_phnG#s))QdXN7mMWueQ&J$yJ^uL zvhWcEzYzR8usq5>?|VEq)W^xmeY1wf_C{#RdxD<;`p7V{@MolYaVVo;#_J7PEmwC` zvCF+x{lN{a!=j6yH09b2v`IPyD3%)(F2WaN}9#Dp8VWq)On|+}fh} z)|*9lbLV&7^08GMP1X0&0*SO^l!q~yM?WccTdW-eSv1))($fXON^*oY$<|k(6mn z-p!OV_wF{pT?PxZr1E$m6jJ1vtU^c@g@tArP6_J{kRpv5@lY4C+0vQX$b|uxNO} zw2ATY<_}nZIqKR5wK(NQ=ihdXg-_REc{y4dD4(5i{^rDT#0v#N^uqTTVY?od5G3x` zKkb6-9W@2quhFp(9W?(EU)WH*2H^f?88(vGDnUiA**g&talY32J3;V@>S$xa9Ddp+ z!rykDQyzq{yG?i-T+Mf$VdLr~XH0l;VJEcvL8~D{;s{Ewuj|Q>8)QAPjpT#;)m58G ztgugW^f!hB3fB~YHKLp)J<#104))Vh%r&(NGr)mS-GIjzVEAXZ@5`|)oWg!WN6$=q zAQsF&|1GW!$!I$QX2&odVY9=>25D;&aK|mFWjr979a|Kw1LM5N11r*JK4e*I}zio4?EmSmVpVTor{{Ow_FU zLkJwOwb@R} zKoQBDv&vLIIC7KRW*2eugOi7W*9?8aR=-auP#gQDSi ztz!A?#+k>8tbwJ*7|$qIspi4TfElC6gG;=8CXd&4ToAZk*paN@T$JVY3^`r%(00rz zc7qo2sF^-em=iYcQ({Ah7(1FMeV7AgeUl|2jUeii$a@<~C(s*>t~>+HA@D=231d zWdPQ)*ndae<|NQ93-Xqv4N*lUQ8~v5e3xVb&O{s(H%QSSP=~cCG?&O1yDx`2GNV&c z^~!91`r*i^l6uGYXu&N@?VLn`m3OV!7uxxA;W+@+984p?s zS2$c0VQGyjjf80(6urkbQyp(|r0z)H;b`EpCqlm<1muu|TF}~8gB=n5K@lDAwd=E?k|@* zEtR&%=@3L;YdoD&?`LTEpBAVo3&>d5`#v0PEX{j{LTH2ge91&W-RU^gIrjImtCK8LKF8-EPB6Nx@EJ%vWDq&%9@GaF5*tpgGlfs0 zfQL4LbBZ*#Zh|}A#6h9)_Ga{WMD)-tpsnUCqFD_ORSG9=>&Vzi=h(%|52l4CeLc?~ z?z^jMj_wgUr(^HV8s)~2#^J0`88XJ~a${vOQAqq{wDQ^z1YrhtFa&p#HYZ6w+>d9& zY3k;Kz-KNPi)ex+=T)wj?Wa4`&`lUD~@jkGbQGwL4=b7$HYaHG+s$@K&YDo$`bo1}y;1+WxWw609~)ab9!a(cT3aA{E3-zs3|ts>GRNmX<1 z%gYfBbX(o-?{qC29M`RU_5HEEz-zcJu&H4if5?^NuG~AZ7-Q=Df$5-`h~OuOQ?q5c z2XjcLH8F{TDNY|KFNu6JkTAy182}aFas%@90Wm@R_WYX4?xi2C!%#*a}-;neGJL7^OM&@}||Ky|V z6DJ?H`4h6teT>W)w z=c!h0Brp5=iSgjcGU+4rKzunm1xx4s^jmN53 z(_UWVALU%BL66Y~b*CB#-zSSIjel58Ys6N?9<+U*tl&ybdW<$T?>sdq4{j(j?2}2M z$&b|&i-;uS^;Z(X&+Xl;Pxtg2)u8tL^!j6T_(En}vHx<0AC+;G7G08fRO?P_maEU4 zD)s+$A(oe4Mq~Bw(W z6J=39u-Sazd*8o%j(|bXfd1bd{NIg7K)^tR|Az0^|D&J(e@^m0TbKTs{&y0Y?>`6l YzZ#hoq`@KnT>|p`4*nkd`2T(SUv)OgbpQYW literal 16038 zcmZ|0b95(P5GNXEVrydCn%J1wwr$(CZQHhO8ULGhNrHl*0s#U20;<#ctIClmtjPoe1av6|1cdR^YUp6B?_{iOE^KUKZe#9bZfiql z;b?2Kt!3?q!h!siqnm%Ht$dNBi|nHAQf}DV5M)>mtrbHesZB~LkrU6eVI~?_6wavi z_3kWre`T)|HhO#qUbmFc@qTL4tns_Y25I57^9clfVa9O*Dk}W(etxVOR_OOUC5*aJ z$b)3T+FYXkMyXimVE2BaK-C(WY2&=)aG8FoE&N)L*p?j@+%DO`4d39tu7;@Z`GbAA zpJmFDa6s)Gh;>dBnODYl2zm|Q z4ZYIq99zC%qt6OsNrq>KFtj!AV$MPRUyM&kgi>MZ>tXjAbP>}*N_GJz85YI5EP>@b zg(}#q*?vZryRdL1Gbl_P+==p~nrp)q_9fNDd-!zwU9h^o#?o8U7c2%|IH|Aq)q4Q< z#=1K>oM%s?5N{5c6eIEi2Ntt~3)Z;0aN7#hBF1)1akWgb4LL%+y&GaCNSydaP67GNu73&U=-G$32F|0y16o8{afhW<6m3t10RrD_)KE^5+ zulk1unH5KQFrOCFzGo6+1tKej-7q$_kA&n<;SW^iP)W>zd~(K3^c0(&y*OqnF(uCk zegt(NAU=SDgATFh4OWQh9B?-IAO+hEMkV2e&YVVbcMPWKza5S$I8!wviSh*11_q0O z6^~K`x_n}2F97ib!CzE%AC`s7!AGHQgG(`mJKquQVgS?v zm9jt#RPMj557)#Cq!V~}AhGmZO&-XZ?IO>gm#D|ba(Pq4_U4`s$4O%PuBfI5L^tB4 z#54B`_(h%iPmZP8S$qPixa?|LE65QWx5O>J8T*QRFl$3MW;SeWQ@5vasL-5NArbIYS{hLKBk_ z(ZiVU_yJA&ENzFavE9{RUb#-GE*MRA)Fe{nFXK7LLE{2$mw((NA>)n6z?5QpzQ%rM zt?onkN0TWjT5K^9?D3-K^MzOd&Cw-84^&gjSPC$2!{u(Th6z~o`lBX9g?3XY@;${4 z#e&YUZ*OgdXOd8VeBXcHO5 z&IOWHf%N+G29|8Hroh%IOB>FRtvywFf34 z3Tq#vixLW&UoLImgeSd2(dnaA9rhEXVB=<(sR{iHJjK4Zrxut z*9D66*W_#P(t*-o$ciB|=c?pr*g;i;U@jbLI92(YPyA}Z@1K_m%e%|+K81|OdhU5k9zYBCv~wXOPRkrnm@9FD^u!FqBFDo8F8Br`2^ z3lzW{mR^!^ePQY3#vSv17MqUgCNyQUGHvx%Tf$>n6$-l@7XBUSr?B;WB+Mvd{?%INRm zlj&PVdzg+4jUli_H${Z&xqj{`4bGEMGm2iWauN(k{{Iq1P^AWNK`mf~(&!de%m=)G zyR$(#y9>rY8Mts{nv@E56`gX=(3r_wPr{&R|<{;+E?(st;BBSbVl4-4!5Qvmo zJNk1T=FxIMOJZo7@P2tRmZ4kqg94+bvbnKmHL6(P>MfzVKV@dx`eElWj6idYA8QZ z8S&sQZx*c3HSx19&fj3PORb66tCnJ~(xwHqOiJ&g`j)m<%srdx_Wp-$vc#(!VDzw7 zVzZF6dgcRgRAiz0jIpfA=JYWyJ^7KsaUK$UUJAWk(2LGo_8#C1)!h1$e-T0E2hKNF znDkvy5C00oHZ~--N6Sg@uZ z2hQT1(Cz36v=YS+K4Xmyv;kL_El}5)7c;ga(t5+#g$BUZ8-G?oso^^_!9CII%G!=$ z%jigCj=V9eG#^(op$AX9&&i(=>+3nSJgeG1yocd}o-0>X(%)txS|}Y!j;>Y=swD~@ z>aDGdx=jPg&dU1aBT-Iny8qukzUHMb(3gUrPnoB3BnC1h{d(rS0y*pyyu z*m4@mVwW^Ds_S|U8`)aR;gT1ztw^b0-o$B(mjgaMD{h!oKG>$WrS@9O{v%-G5ss|z zH>poi%i%#Jl)q$@2LxOZL(VIK}ljk)Z~LKtWyw z81rWdP&CtT$WU}DckGT{v%2`j=TMo6Zw&19idGdq@#OIE#EI4J;nbPHh0xFJMkv({ zr`}s)-QTaBr2r);G6NGPbs}`Z2cur-6OxeeSTu z)^hdD4KDhw^!E;_xJMUfk}Kv?N~s>#TJmp2%+W&LUnlm_3zJYI$rU3{i{3%^!Fv)@ zV1l(SpsojLTBx07W($Y?FMWM)7??fXUBag4UN1)}GPi4v4Q$B%DPJFlfm|Hf8`Rjb zAgMsZkJ@&z7-?7Jo_pEf%^tgD%~2YkLqyD@-GvURMof-&{4w9Bor~XVTm`S0S1f+2 zy(qJ-+my5=K3av}qq?%6zJzTJH{vWSa#~%F%D7R57 zA;$d^X>$kO8Gr%jW8kEqfI22KfCnI&rvdch!#jp&a%7SHdghtnlwBnl>xn@Ll&Y;P z=rH5Y-s6$%p1K`7aT6Hd&BZANO(t7^P7m>-JVQw8BcNO)#O(^K*U)rE!TT=kdWI+Q zW83khF>ugOe&|F^=5*$l- zcYG8kp4L!&gcmRpBMC1PkbV$||3NUDloBc)*HDq~B|fd6LmmCjH9npXotaZt^%)!G zymCpkZ&K-M_Y7{ns^Y~Kc+2S^04X+aIH<$#)Ic^|2y%(M->bxCu+O=72`=NB zDUdAP4IHI(iv)4H2ne-Vs+lljkA1E2wvVv>m6pKHWPU5n<9?8Ce_{ra50216t&6g- zjxvQA=*FYt3X^HYd%@tHqx1OB|5yV?aee3;n?!O&gA*msY(=;}7uObUyg zSQ!??@x7S~ccYNGQYTJPf=Q=;tx}EkG;H9Wa*A}-b9y!Cz`#LaI8rIBJOYCwu9iTY z>%g!Ka;6H@_V&bwMLWhf8!1-W^&(3kV*byKY{Bd0HGY1ZMVOAC%^$&fExIs{=ZihM z2_kvw4CyNAiWcTz;>+BEnDJAjdOO{zu)p?7vD9)Rn=wza4jC=JN=X}aQik7Vyv^TP zC^aJR6Rh8I^I?d~k7FZou8L-HS)Mhl?8Gd=&2Tpu31y;QUwF-yO*`*m?$y=p>{Fb#au^W>{nXQ_eo)(4V*m*X=%R>RDTbnBJlco-pJ4YR@gHnrb`Q|U?t zALEH>j7r?iIYyB?sY@R^{61V`pzTcux9v37OS0hBvMkxl#`@q!9qtL0gv(u__0t2&wP38EkW zBaSu;n~_=_9zA*rdzouD0I9N)gF0YE!T9e`Ksu4FTqKHa5`h*jTl04b|ATql}H zSb@UCp7}FaOVQfx3+xp=zs^AcgjUFIuRL~1;O=rT5644(+Z1pQM=}4MDxinsE71R5 zo)*k&odC`bM~c*|>9V^V_C^a-s}A`qZwnd5UH?X^2)zW{B3>z`<48EL(o+Z(guN zOQpI{=CvmC+uGs)E*to5uPNp>(foFHyz^QofxESTJ;-q6G1ouUZH{!?ECQ)O^W*Qe z_-BI70Za-_;5Hs@x|Q`hoFss|3&A{05BaZ?z&%WVaFhc*%>3X`ga>2`=DAM(;E31h zRcWm=XW5{wn}4s)VFWy7igxZ?AF$PP-tfKhU#Eb0s6stl{Q#kbdARxkq6rMx{sGd8 zGuIi+f1UgvkZBv3=S*qCHAaC#b_;${uI`Ze>ShbLt=eWy75~!(YVd~~WI%T`Xtydl zpc@z5qZVY&vlHP#ha>M9+JA>0@`1N?UUP7yZkG)Lv{JvxVmijZ+GUqOnj2>&Gg_c< zcO25A7j^DkBJY_U{=r8*@7Wa<@CnU-ea$=fe&n}9zr#?Gyv1nX(0tW5^a!EXY3UrL zQYp_4QLVF^$BSVVzmXRR^Fha*d%#ne;jviO@~T~^acW(-5p$5un*T5&Z~crUi>+jF zPO*G*n-zi?^JOX1#dSnxu0_$_xo*)s<+E*pRRnI;6imAaK(MebRK!p4sa~~MHl%ZQ zX0z{`EPgstuECp1jM)o+uBtF|Uw>{8|6)!$wtd|*W=y00@#~!J|s>b^W&IH{nEz%^<_L%&i*P>$QLZHcb>9WI(A?Lhj()7Uj;{@JeEK=hokrit*P)#@ z*&=34Ko{ih;;E#8hjH%uHvQWM3$zl3vrDxSD{w?lugMc`3wvcc2i&2ZVb&^kqBx0R zb`wtVVq2X{K~m8r9EGq~N#QR#m|Wf%K_%D7xGCmtZ80B}CMcp-zu=xG3Ne=fY)3yoi20_KwG$Jk?fH?#!;3fv;tAl7U{@3yv8)POvNM7 zjGC)p@&dWoRoJmLJY^ke`;Ir>N=OO%M5$Bc^puT$-e6a~WB35N+{%)u()&U_L9K{=z8q zh(JC2*Ts`Ebp|%M>b{t5c2qWY`(SyuGyHJF?+>~d*P81>M@#|=d@v+j2%`vl{#F+T zoh>Vu!BC80`dfVw={g=X!;~_xjhA3sc@BN@5rVRyRfF9ZN2b_+%T~L{*9B7zwGGVD zAMez+)bO9nD#3qvBj~TflXKIHoC{Zyq!%cLp*x7&cjeg5Ny#0Oz9M;yE8eb+B)B&} zE@`L>(s1mTZq7c@b%;sPKn1uQmsgq}j?0~{*ZqYiWP1bK5hfu#L`p&5%z2I3`(H!v zx=io=4c`q9#_v+e!%u^r*WL}Q5Y_!%FO1UOT%I$frBsU zYZM3F+^j2GkmcJB;3q7)&;BNbx1`owST9 zO~+zV4R~BQNZDdYsnBT=A+n$o`#eJb*2`7<7^io{ry>{$R!Jv9)5njmty2Ogcs^Zc z9sm6A;}IXGyQOoc~2=Z{Sb(pjLOO(Jz33%ePw0N^?+YSJk)HPrU8R!I?jVA6g~Z5l zXY({x-y!ropCw0;ll=}bKMJ_@vukL; zvLY&iN1|a*M3JLQL zLMxvP%6u=d=K^c>iy=`DNIjIQmP~!x01_lXV~C|gaDL;ePmPG+-ysKrTdWgOj;(7iZ%Js|d>NiY`fhI(b21HW6PSuhb-Pw3FC{||vb_32;(X4TVTFouM zcyA|5d7p@&aXGp+bvDQQo&Z)ZQDa7fZnVJz2*Tm)9LG1AGPRmS(EZJ<11}eKfSZjpIs)DQ~u4-tCC9 z%b2_f;Mh0bXlf;XNxh-sRpOrlG%H<(?|sY(cJ|0Fy!L_C%BNua*6z zfGV|i7US_3H}|8ue4aeWs#7+@;tV5aW{A2D&^s9($?uJ!`WUt9waP|Eur5rgUuhsh zPLR_A_~T$x>vl_dUKvbN4cL=+S+369gD%~{@OdG0;y{h1&JBZ7DDC;0Wu9O}Pp?28 zuir^K4m0$2rr`*K3ZCIR?F4b4kBD7?d|6Jb194%`@ZR_)^Ran@%pCXg)E4@S`HZ7O z9{~_otHCsKtZrZ#py=ghac9kHJZAY#qk<^&gk8iR#2eXRgrPBLpwcf9w8mA;m`=Y2 zL&rMtlo5&b@5L;2)9{X^I5`56A<`E%*bF#g0AlzB7gF)Poc50Mkf}?MgJFXQ&XUU_ zK>uL8gwRn)tco)nh4B~x{;QJ!w6}@FI5dDk6>JAIYUyF!wWQvQt_FFFldY(7PH|*D z^{>zV6Fg0>G!xUCd~3aCY{YqnIukSco}#ySTJh_P(+_HqdHk)VUz;b)Fu#u52Qdir zu4i)?)${QM-7ARAL_V^vVyj!vn%Qcx)#wsz(>8N){zjweKd$*%WHVxtawp%z(oTrQJ-q)mt)LR9I0T;OUv!*n&ycm z>V6dJ2p+4}hr$d@@;vW9;UZY;gK<2--7+wY_+!XyGIMfVA;NVE-(yX;?ueqO4S*hi zy5lK4ePgYzVN&<@W?Kz6vY;z(hK3@h z`EX~DNA&|%x4>8))`^U>`i3|-+)J23+rZ5zfSr0sHAMZUMg@E$JR{5--kl(k-?+Sw z)g3*&mcAUshR^h*SJ;(~mx#tXq0A}>%00Mfceg8sw@)HGj8a~WXY?+18fv)9;&bEwnGH3Niztav;br62HyBVfV5`(& z{BsfP@vaNdmRrXQqo-VW?A6<*@7@`ONvOR>TY029ckk!aasK>Dsf4^fHIjNoVZ{Ce z)z}oEkn1IXR#T8jm-(kcVLxml@lQsA?-$V_aGB4JLAWEjWLB+s+S<5)QVyhCPEaMz zcW5ZcK7$ufIBbYvzFkU zu;mU%5Yq{Q5pUaL7Q5OZN1*WxMiR_u4PuD4Q%v5?2Y-LNe^et$_Gm^3)wh-(FGAeq zw!;a~3PRh5+qc)rhH3E#MHC6e!i+47O|Kb-_~^;`ix+Ng?cqH;Zf-BA{VSUCeqcl| zJ^WI9%`$0#-3q#{E-5C%iQH+&A)poSPL;Hzg213r0d|@5@DOI8lqyuZJTP0yUuH5( zOvg6s{i*QI1&!lK@Y)54dEw+}7FiWGTM{ERoL$#4%YFXLWfn%byzQ2j7HRo#@R3NK z_R16T_-$k*^zL@kBbWj=wHws0{bX1lt>TX1uvj%LQN>nUsZ;DWe0Tp@yMu2PPq3x@ z+{=CPk*5c{bCf+=3J=|WX8+5q=JJSPBlz9pka*lO8Q3X_g4y}EXg7p*L&&5v%Ib3M zx9E03AnHHl#kTxz(*_<2_ZwT-GW#eA1ZE&nQMz5%RDg){fPUGuE(dpA!2oGtWVTNa zrjGP*5AXM9&I@l}b`8B#=B(H|&i6_)xWydFYD@EMl|b@~6E7Cx^#-oarXotx70b=D zIbk9;D7wK3eD~*Xx3n5AKKt4`N*dvdaaK$PNWKeQ?N`We_pbw(cF$KR>~9a_kKBxT z_8PwL>%qm!%F6EVB6@Wo@q@?vMEsc8uftkfdR>Azqkz2FDlVWVYdo)xjlhqZrd#KGMt5@J3ldxuow8>1v7$N0DMS)Y#%#<pxr{aH{Qb3#M?@TXwvBMZE5IM%`^W@$9?H1xpKE=|p?_hg~F(L&)CXjXhK)R{msZ z`d|u#uP_*$P3B;l?YY;!xx~2AFHiM|MnoOcm2&>ye$29W0pJldMecjzI?&(jv*G_f z&)ZMNigpiymJ*$>Knfw09XR)U^N&CJANQ^_E}+L38tc8Ji49~(8^ux%K%vS)Ji$>W zj?XT+w>-JfGVL0SFmkY>adnYV753}wv4+F^)vSgD<$2ZIInTL!LN1T++bzU*Al!-! z5}OTarE6>)&a@rp9#hUf=|8&RMri7T^$8yx{0~xj_ zCcLE;@*bD*kE3uNr_~}YoM1CU|2Pa3y&U3Kt-^^TkC0PV^v)j{#@#I#nQMgGR(*P8 zMQv3v-y)n`uzpvbR+iLe^jN%g(7tI%X&yN#iz+IPN<^5KXT{LbMn=~`MeHy8mpFD~dC(YIh5j|VHP6)ueK7GdB8Ym8i(|V5F8QOj!yTaF3 zEd<1hH3m}4ImLRmt+yxl!Bl4(QM1}g{PRR#ebQF+fo%wq#iohPaq{J0(kjZ?mYOp{ z%+V_tJ-~|1)2~h&p?P&V-uM@#TQirKWw4N5ldrAGUV@b?pX4tqJN~DywTit<-qTk* zeE8Ag`gM5+lAVAhHSx_pdR_?oI1Ztf*Pmb*_(MH(l+a`!gS#}%q}*L@xzTjCGM8UU z1nme6ahxb7X1?@BPuHo)R@m%?YKbV_@$`lm$tcA+Co^EC%obx1!-ZjvHKVV|qgrM43_DPx*RY9myJX&0ji=E6yl54$YTrG7 zywxp5DZfm~`W046Jb)LQ!A^9z{b{E>tz z6TD2SFK9WgTYh`Z?ns+)6zxk8Hg}uAe=V8n1Ba3`y2cz)3{O@*TIONlHHsg@tyb0RJ!^3u2oKYl0IuE;5sLPjjHgpLo<<_)yJ}b~ zhDWFv^SL!ICE!LVIV&ORD8*E~@@LE`Wc@4a%mQaxQUeVorOB_`RCS+(T=mbDpU{R~ z#WR`jnhJwSx#ndNr(Sb$nfVP~ahbFUd%rHm_-5S4CfPiz^43fK)8$b7oD>0}RA5li zcU-8qNu+!#oMmGP=8A>_))Kb+A?b=Y`V?;TZ!TkO)<88j#Vvi^h#r%rKOLDc@}&ir zi-^|ApLJNxN$vU+E}2pk4SuP^w`eHxf~OZa-3KS*%_JW zCyqVPt*pV3yT zs-dP*(Lx4&w=i9j#4d4aXpy>G@5~_s4EhLZrK-oL37ju3{-3&%lSInR133H9#f8Xj zyFP6B(rBkKhB4W8z?txY=)<1sapJE^ra^e6X!hT;pzKBiurqv&_H^vI8xOS}7&{%e zu;`0@L?t}^S$sg__2l>CvUs}y(=fvw|KU!UG}b4?u~C*V9roUOsDCK@&B5KBTPZpo z{ASE>ml&;%Y|kc5GhJ2np6`X{>NJdFb7mV@tNE#i*!0?6AVL~ep&k>yE@ zZ}jVp5PlQFxbWUtQFDy*JU?ag>}SYd;VW<;zimRw(Uef}JPk5POp*5kKftqb^m zbC98zqx88+w$>23Uwk6HL8Wk?b>iIdVd?CVKXH4xUdEkLVB*7~q!`nJX2;fLOwpov}7)D!&(gl7oj{erjNp^A4?e>_kY!^4RtOm85MYFYih_f5KG+{XtN{d&IcS4zNZxG4ut{)gV-001h zh?hvCJ?s-9tjJpKQ}nv+*#XbhWU0xF8NG-AbtNRx)yvDPT+^*z8d2nQ->+<=0q zN`!<%>jejI=u-HHg8Uxbc=h(RG_{7{ z8y@9L=voThCx*7>Y`8j);qZ|;|4fl`X)f?F^GxwJF@=quAX0LXHZqK> z=jQNn?pIMSo7=v2P$>D@u+N_@Ke&X!nmiVq$5*{5K6Q<>XmV;2IP%RKvHc;w*Q@uI zd#IO%ZghX{sTT^GGy8l1BfMkI8SuVo|7HGZgxPJeMU7WThjE1oqlOBqvrpkH?`4*z z;mfRoUt(e~iC2=ct%|z%t761)(hqKNrxL;TpEL4vD|OBO*lUf4!Bui^6NMD+_X|br0N$_aiFkg9LF08 z^6;)*lG~wzOx55*&9}G=?oG7Jcl48QPZ#%YEXRvZx|QcM>%Dvr_!ZJtzGBi%TXweT zZbYp(Rc+HpxDPUXl;#TPN$O*6a>9vTXNO8oTHB?cG_%3FV>;Yyl=p9WVeh{DLpt`w z;FryTdRT5x7NVV6M#qoq3r~ZcBTPvyLMeNW5T=nDA?Dg~3qszM_Gbw%4vCb^mmZyg zmTI@_oVUX^#(V|*J+yD8)b`+X;n0;N(Jqqgf1G^ktqSD5WZL6*4modzrrl&;OdVByck>rmXm2F6gC% z3#!?p^?<;3{lo=*>lYUR#TnOC&q$oL-F>2pGTIbW&P>RlT*l4(DI(5H&5*IEb=vCF zXf)MukX4;PoXts{xh*uY(3nrv*hz{?4++<)+Eb!6Ob_KS8?A7uVq)}`Joo(_#Hy_mJ+2KLn{iM~^R z_xp4wfjGNqH1IngJ{eEF-|L>9bzbD{9D*wZJfJpbDtB2t?{U0i^;LeFY}l53nw-+$ zwe3oI2C*F>Sy-(SFRASilQa`mB=RV;Vc+~Jk66GXyhJiE*dT5y#LFKU;TAlyep~k9 zKSfu104`2cRq}`(hg@3X&69rfqg$^JhVekU2EPShD1MY)AXxAM`^x>0h4rEKA>bdm zMM?7*gpXDtt{W;Oo^Tm~M;N*thT}mxM_IAj)0?3JbvY5efz0kP#OrM&a1Fmz`#$z) zR7-9Y6kGbeF{^WfsB>A|wo8b#!CF@eS&ouAy+NWDT&I=HO0Gf3JTS&^vvA0oT|5Yb)k{~#J{F2t)jcH!1~B{62jQ0;(1 z)7Couht|Af=wRR66lu9lM|Zqba0uuLKK7g|D7{#=-~p~x`GNEIJ*-QEdA28C&G>0B zLrWu^n;myw$u92Zz}qdZuBwpQ3Fmdy@$Ixh(c@amP1bsVRGCYVVdP&WmlW^rxBfRn zPHgftxjm~nP43XW6Yp0uDcuZQFOJX6;1>eq=q$Vd+6sy;hYWgdE{#2u<&vblzAsm_ zLs;*TG$$N(>9#eN{-sUgUrSd_38l`>hF1&M&CkwFjZNp)<`mb~zi=&QQX0wA5L?z2 z1x=mOottTCF0Gekoz=~(u9*@1)yI~StGxxawAoz+6P{8%EiF&Y);p^se7AQ=JT{l) zd-jt}^1ROY@uSf}FYtV#O=P*6RI9AQ@#%V?v|VB=xUl6vC%_GIT}D{0OqlmvgkDoh zS(!Rx!izsNXw6w+FDuB^S`01T|JHouh)}H!zq;OUa@QAq3j@`}MvMxwz9GJISMjTG*}@uITI(lCh3eBpUy>TxI_)7we_Gp}|IBOCetK z(+anRg-26{EbVqc1aGs`U4+Cn!r6~2OsOH;{IT3p8&CBT^r*8$W+lGHBuG@m|hJPxB8rKa` ztD0#ieAmn!Ja_r6YIbI2!@3`+ta6geo;f5Q$|8IhuJfKV+i_pz*nrCYL2;)1d}OMO zj{H3j8NH6G=k3bnuqU4@2=>_b`jQbu$#>$3428GXgihBL%FTiC21RZs!dfIdRDQIT zzcmY(9kEA+-QVl&_bi&#i)KruE_Lar`KjQ*i1(6|w)ZH~E+27t3U4CC&fKQ=zbU~k ze8Vs+SEXa+i`zBt<(*yce=VAoOj9bX*!FxB(2BQZH$I1kn%>RDwq>`Y+jAur!j`vW zPR~@GxPG?ll3VQf<nGD5sT_`k?lH@(gE@_@qTkNmt+$p66o2U0B{KPLy*ElJS z&On8N4cw$@)y}}HUEHPJ8m_Y5E-rBkB_&gj|M&<0AO8e4aDVv6WhS;Q@EP46ct`uX z+{J&Yq51&w-{;OLb{s~j)|`E=W1GKsvt}^kt{=`P=;}?ds`LUD<36k@bCX6XKIMB4y98&JWETe1!-0|;_txZ6P zu8=bT5*BM#Tp|FOb0aoe1ZANq^@%TT^YfyzSN@_da{oC!VQrPJG^);pW4x$&l9IGS zTV~y>dGhp2TV{!3tz@=bCy}z=L592?STS3U>VDmC^RIf!6PI}}3d*8SDefazap~1> zTv;^0kcCc}6gE{yKGSKXMNjB)*zZ6n5R(;O`MY>~VROEvj!(Id7{~9o6OmRSc#4nk zH3n|HSw$QzgOrP)!@nUE_`8VbKOswRf(I@MX`PS1osu@DrhkVTtktT=YDq5GY{UxF z-G&{1T8XsEy#Vu++e6D?wQtR$j5gDrE=%y{4@nCFNC$|Y^X7l!OLU8(KCU{>hQCK1 z1ClDBbLTJ=pmwSjUvGcTMHJWk(0j#@)11F-?|CIU{8gN>Xj8I6lActH7eQj}r;GH; z*w@mT)oa2&?AYpVn7CM2KC`HiY-%ShFBzfeN%Kq z#ftuR2#QphY@#_j{8h%t>PSma{ZY!}JY<49b3tB)yM*tzF&am*Y3b}N%&}?ihy9F> zA%+B2dAHh?#gs2^lx?z=NZt}h0gI!hlEa!A5n@VRk9%cp ze$1O}+FBu$q6V#D?lX`I7pJ{Qb|I6Kj&mUIeEr{bPII2$Bqnhm(DWaFGP@gSuETaR zvECi+gO8E!8FNiq=kaMZTOIxL+B+#!9iQRspI21cJyjG_kFV0f>3_(iQ~e?H>W556 z*Xix_wBswTiEYiygRA1{p5-*JjxV%yFHU!nT@5(KYtd!@lf%59?d*k>=SMMHa4!FM)U~SqrOI%^k$e zE1P6%Q&ubUmTdL1fh9Crb7i)3)6I$mmdzEb%y9FT?n0~1PRbT-vzltr&c(+X@y;I} zRCJ6AcY0>H*ao`J!-tK1E-IVD(MhW0_z3yqWm}2ETUjIN_%c<2@xz|n|JW0%nq0)u zb$lZw<@kbobkiN}@WQ=m%L<=c<0=B5`=fJ~dC1^*S8;q$aK6~DDes?pjxUjHulb~Q zWPrOmm3VHo?a>%@=S&ED2z9>n+FYALWyDk!ZRBfyJcR{YpVbOiRVB32?aVMLX&nU| z)e|P4Nt((DC0iK|%#70Qu1OBh>=NyYCYu&CT-wVKG+aNs#KlvJrc-B;#dDhlJMU|W z&pahax$HEDYQAQ*A>1{~T+v#(*WH*0u|(VJcEc8bH#>qv_N0Z?j1^yOx?H3^L(w)& zQ8Bw$M1gj`qFCM8#T`0Pl_fp-wJKMYI&xu11I3c8B>XW3`TSu?`%ra~#AL%_ic@hl zVu>@cry^vNp&eb=4$G#ShC`)(EE6Z}2yl7#hZaQ6-(@#*8ZzcGaQ~AmeO_=^drnwU zkoF7&7gKlF7oJQCvL~(EYacR)3%C0N$mH`LgM6R|*iGs}`>6Nxx1%y7nlsSz?ux)Cm*!u9+=-i6(HaWJfIY}Co=qz!zsp&xTr3i*0f{o zFh^iQ$ByA>f?g95Awzsmgi-}mYDI4*FoD8o zIY;Cw4*h@v=fF`og_~&UW%7i7ypqldLeq248hw+o(&KMP$bu(pg}IYSy&s@S`#-VW z6gs^DGi{&{;k+~Ygkh6Q=z^5Bf`S(QGRYEp*(7hjIFE1{4k$C`{zgGwamVT9L|^+> zHcJsriZAy8jW=Mt4V~~vS7tW8otU{jBGXmGq0{JeO_s2{X50zDCw{IX@^~@lBwOr;n5R^>iFZ3J4+j7i!RrM-?bBk& zm{TnTxkI-tL=A^cSX>IRrqMFzx1vqN`P$X;v8uPtLLMy9&@$$Cewu87tLLI-Y*>Um zx+Q{5oLmdB7Enxn`Zj<13ZJN03VX4q<7^X@)W0nx*-2b0OB*KJB)E)vmbT4Ai=DL= zqK;N?o7oB%IO)ts?#^E{GUd&2>0jVadH!qDxe-bAwE7v>wO6zCzYACS|GV&V^uNX+ z?s~*dm$k%TT#|;sg?}bo8zETFBFwzztYYI?|9u8M7p=Br$$-i&SW}VW2xHQ;ilp+2 zAw>WMkmyiO7Vqb*tJU)$RR(_Tet+mXu@!fUe?T*Npuj%gT#sYFXjkN)L!(i_78R2= zs$93<>#-rY*`2uV_Pl?~NdkkQg8tvL!GAJU{$JPsB{%&4oaFz^b@_j0F#Sn1|Nmva V$Vq}j{5J&T=MMUL!t(xC`ybipw!HuV diff --git a/Solutions/DigitalGuardianDLP/Package/createUiDefinition.json b/Solutions/DigitalGuardianDLP/Package/createUiDefinition.json index eac1aba0e6b..1d694d2a7ec 100644 --- a/Solutions/DigitalGuardianDLP/Package/createUiDefinition.json +++ b/Solutions/DigitalGuardianDLP/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/DigitalGuardianDLP/ReleaseNotes.md)\r \n There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,14 +60,14 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Solution installs the data connector for DigitalGuardianDLP. You can get DigitalGuardianDLP Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This solution installs the data connector for ingesting Digital Guardian Data Loss Prevention logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { "name": "dataconnectors-parser-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." + "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the DigitalGuardianDLPEvent Kusto Function alias." } }, { diff --git a/Solutions/DigitalGuardianDLP/Package/mainTemplate.json b/Solutions/DigitalGuardianDLP/Package/mainTemplate.json index 6c9c8582f6e..99507104750 100644 --- a/Solutions/DigitalGuardianDLP/Package/mainTemplate.json +++ b/Solutions/DigitalGuardianDLP/Package/mainTemplate.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "metadata": { "author": "Microsoft - support@microsoft.com", - "comments": "Solution template for DigitalGuardianDLP" + "comments": "Solution template for Digital Guardian Data Loss Prevention" }, "parameters": { "location": { @@ -38,30 +38,12 @@ } }, "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-digitalguardiandlp", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", - "_solutionName": "DigitalGuardianDLP", + "_solutionName": "Digital Guardian Data Loss Prevention", "_solutionVersion": "3.0.0", - "uiConfigId1": "DigitalGuardianDLP", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "DigitalGuardianDLP", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "parserName1": "DigitalGuardianDLP Data Parser", - "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", - "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", - "parserVersion1": "1.0.0", - "parserContentId1": "DigitalGuardianDLPEvent-Parser", - "_parserContentId1": "[variables('parserContentId1')]", - "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", + "solutionId": "azuresentinel.azure-sentinel-solution-digitalguardiandlp", + "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", "workbookContentId1": "DigitalGuardianWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -189,192 +171,70 @@ "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]", "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]", "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]", + "parserName1": "DigitalGuardianDLP Data Parser", + "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", + "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "_parserId1": "[variables('parserId1')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", + "parserVersion1": "1.0.0", + "parserContentId1": "DigitalGuardianDLPEvent-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", + "uiConfigId1": "DigitalGuardianDLP", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "DigitalGuardianDLP", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", + "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Digital Guardian Data Loss Prevention data connector with template version 3.0.0", + "description": "DigitalGuardianWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", + "contentVersion": "[variables('workbookVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", "location": "[parameters('workspace-location')]", - "kind": "GenericUI", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Sets the time name for analysis" + }, "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Digital Guardian Data Loss Prevention (using Azure Functions)", - "publisher": "Digital Guardian", - "descriptionMarkdown": "[Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "DigitalGuardianDLPEvent", - "baseQuery": "DigitalGuardianDLPEvent" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Clients (Source IP)", - "query": "DigitalGuardianDLPEvent\n | where notempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "Syslog (DigitalGuardianDLPEvent)", - "lastDataReceivedQuery": "DigitalGuardianDLPEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "DigitalGuardianDLPEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "write permission is required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Follow these steps to configure Digital Guardian to forward logs via Syslog:\n\n1.1. Log in to the Digital Guardian Management Console.\n\n1.2. Select **Workspace** > **Data Export** > **Create Export**.\n\n1.3. From the **Data Sources** list, select **Alerts** or **Events** as the data source.\n\n1.4. From the **Export type** list, select **Syslog**.\n\n1.5. From the **Type list**, select **UDP** or **TCP** as the transport protocol.\n\n1.6. In the **Server** field, type the IP address of your Remote Syslog server.\n\n1.7. In the **Port** field, type 514 (or other port if your Syslog server was configured to use non-default port).\n\n1.8. From the **Severity Level** list, select a severity level.\n\n1.9. Select the **Is Active** check box.\n\n1.9. Click **Next**.\n\n1.10. From the list of available fields, add Alert or Event fields for your data export.\n\n1.11. Select a Criteria for the fields in your data export and click **Next**.\n\n1.12. Select a group for the criteria and click **Next**.\n\n1.13. Click **Test Query**.\n\n1.14. Click **Next**.\n\n1.15. Save the data export.", - "title": "1. Configure Digital Guardian to forward logs via Syslog to remote server where you will install the agent." - }, - { - "description": "Install the agent on the Server to which the logs will be forwarded.\n\n> Logs on Linux or Windows servers are collected by **Linux** or **Windows** agents.", - "instructions": [ - { - "parameters": { - "title": "Choose where to install the Linux agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Linux Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Linux Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ], - "title": "2. Install and onboard the agent for Linux or Windows" - }, - { - "instructions": [ - { - "parameters": { - "title": "Choose where to install the Windows agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Windows Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Windows Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table.", - "title": "3. Check logs in Microsoft Sentinel" - } - ] - } + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **DigitalGuardianDLPEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-DigitalGuardian-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"green\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"45\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| summarize count() by NetworkApplicationProtocol\",\"size\":3,\"title\":\"Network Protocols\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Data Connector Statistics\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr)\",\"size\":3,\"title\":\"IP Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcUserName)\\n| summarize dcount(SrcUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcIpAddr)\\n| summarize dcount(SrcIpAddr)\",\"size\":3,\"title\":\"Hosts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(IncidentId)\\n| summarize dcount(IncidentId)\",\"size\":3,\"title\":\"Total Incidents\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"customWidth\":\"20\",\"name\":\"group - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Source Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"cat\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"35\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcUserName)\\n| summarize count() by SrcUserName\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"35\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(http_url)\\n| extend u = parse_url(http_url)\\n| extend Domain = tostring(u.Host)\\n| summarize count() by Domain\\n| project Domain, EventCount=count_\",\"size\":3,\"title\":\"Top domains\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10}},\"customWidth\":\"30\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(DstUserName)\\n| summarize f = makeset(inspected_document) by DstUserName\\n| project Email = DstUserName, Files = f, FileCount = array_length(f)\",\"size\":0,\"title\":\"Top Recipients\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalMailsReceived\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(inspected_document)\\r\\n| order by TimeGenerated\\r\\n| project File=inspected_document, User=SrcUserName, Policy=MatchedPolicies\",\"size\":0,\"title\":\"Inspected files\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total Bytes (KB)\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TrafficVolume(MB)\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"55\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(IncidentStatus)\\r\\n| extend inc_act = split(IncidentStatus, ',')\\r\\n| where inc_act has 'New'\\r\\n| order by TimeGenerated\\r\\n| project TimeGenerated, User=SrcUserName, File=inspected_document, MatchedPolicies\\r\\n\",\"size\":0,\"title\":\"New Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-DigitalGuardianWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", + "description": "@{workbookKey=DigitalGuardianWorkbook; logoFileName=Azure_Sentinel.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=DigitalGuardianDLP; templateRelativePath=DigitalGuardian.json; subtitle=; provider=Digital Guardian}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -389,6 +249,19 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "DigitalGuardianDLPEvent", + "kind": "DataType" + }, + { + "contentId": "DigitalGuardianDLP", + "kind": "DataConnector" + } + ] } } } @@ -399,429 +272,21 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "Digital Guardian Data Loss Prevention (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "name": "[variables('analyticRuleTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Digital Guardian Data Loss Prevention", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "Digital Guardian Data Loss Prevention (using Azure Functions)", - "publisher": "Digital Guardian", - "descriptionMarkdown": "[Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "DigitalGuardianDLPEvent", - "baseQuery": "DigitalGuardianDLPEvent" - } - ], - "dataTypes": [ - { - "name": "Syslog (DigitalGuardianDLPEvent)", - "lastDataReceivedQuery": "DigitalGuardianDLPEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "DigitalGuardianDLPEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Clients (Source IP)", - "query": "DigitalGuardianDLPEvent\n | where notempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "write permission is required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Follow these steps to configure Digital Guardian to forward logs via Syslog:\n\n1.1. Log in to the Digital Guardian Management Console.\n\n1.2. Select **Workspace** > **Data Export** > **Create Export**.\n\n1.3. From the **Data Sources** list, select **Alerts** or **Events** as the data source.\n\n1.4. From the **Export type** list, select **Syslog**.\n\n1.5. From the **Type list**, select **UDP** or **TCP** as the transport protocol.\n\n1.6. In the **Server** field, type the IP address of your Remote Syslog server.\n\n1.7. In the **Port** field, type 514 (or other port if your Syslog server was configured to use non-default port).\n\n1.8. From the **Severity Level** list, select a severity level.\n\n1.9. Select the **Is Active** check box.\n\n1.9. Click **Next**.\n\n1.10. From the list of available fields, add Alert or Event fields for your data export.\n\n1.11. Select a Criteria for the fields in your data export and click **Next**.\n\n1.12. Select a group for the criteria and click **Next**.\n\n1.13. Click **Test Query**.\n\n1.14. Click **Next**.\n\n1.15. Save the data export.", - "title": "1. Configure Digital Guardian to forward logs via Syslog to remote server where you will install the agent." - }, - { - "description": "Install the agent on the Server to which the logs will be forwarded.\n\n> Logs on Linux or Windows servers are collected by **Linux** or **Windows** agents.", - "instructions": [ - { - "parameters": { - "title": "Choose where to install the Linux agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Linux Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Linux Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ], - "title": "2. Install and onboard the agent for Linux or Windows" - }, - { - "instructions": [ - { - "parameters": { - "title": "Choose where to install the Windows agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Windows Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Windows Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table.", - "title": "3. Check logs in Microsoft Sentinel" - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "DigitalGuardianDLPEvent Data Parser with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('_parserName1')]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "DigitalGuardianDLP Data Parser", - "category": "Microsoft Sentinel Parser", - "functionAlias": "DigitalGuardianDLPEvent", - "query": "Syslog\n| where SyslogMessage contains 'managed_device_id' and SyslogMessage contains 'number_of_incidents'\n| mv-apply ExtractedFields = extract_all(@'\\s(?P[a-zA-Z0-9-_]+)=\\\"?(?P[a-zA-Z0-9-_:/@.,#{}>< ]+)\\\"?', dynamic([\"key\",\"value\"]), SyslogMessage) on (\n project packed = pack(tostring(ExtractedFields[0]), tostring(ExtractedFields[1]))\n | summarize bag = make_bag(packed)\n)\n| evaluate bag_unpack(bag)\n| extend EventEndTime=todatetime(timestamp)\n| project-away timestamp\n| project-rename DvcAvtion=action_taken\n , DstUserName=destination\n , DstIpAddr=destination_ip\n , DstPortNumber=destination_port\n , IncidentId=incident_id\n , IncidentStatus=incident_status\n , IncidentsUrl=incidents_url\n , MatchedPolicies=matched_policies_by_severity\n , EventCount=number_of_incidents\n , NetworkApplicationProtocol=protocol\n , SrcUserName=source\n , SrcIpAddr=source_ip\n , SrcPortNumber=source_port\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", - "dependsOn": [ - "[variables('_parserId1')]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", - "kind": "Parser", - "version": "[variables('parserVersion1')]", - "source": { - "name": "Digital Guardian Data Loss Prevention", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_parserContentId1')]", - "contentKind": "Parser", - "displayName": "DigitalGuardianDLP Data Parser", - "contentProductId": "[variables('_parsercontentProductId1')]", - "id": "[variables('_parsercontentProductId1')]", - "version": "[variables('parserVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('_parserName1')]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "DigitalGuardianDLP Data Parser", - "category": "Microsoft Sentinel Parser", - "functionAlias": "DigitalGuardianDLPEvent", - "query": "Syslog\n| where SyslogMessage contains 'managed_device_id' and SyslogMessage contains 'number_of_incidents'\n| mv-apply ExtractedFields = extract_all(@'\\s(?P[a-zA-Z0-9-_]+)=\\\"?(?P[a-zA-Z0-9-_:/@.,#{}>< ]+)\\\"?', dynamic([\"key\",\"value\"]), SyslogMessage) on (\n project packed = pack(tostring(ExtractedFields[0]), tostring(ExtractedFields[1]))\n | summarize bag = make_bag(packed)\n)\n| evaluate bag_unpack(bag)\n| extend EventEndTime=todatetime(timestamp)\n| project-away timestamp\n| project-rename DvcAvtion=action_taken\n , DstUserName=destination\n , DstIpAddr=destination_ip\n , DstPortNumber=destination_port\n , IncidentId=incident_id\n , IncidentStatus=incident_status\n , IncidentsUrl=incidents_url\n , MatchedPolicies=matched_policies_by_severity\n , EventCount=number_of_incidents\n , NetworkApplicationProtocol=protocol\n , SrcUserName=source\n , SrcIpAddr=source_ip\n , SrcPortNumber=source_port\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", - "dependsOn": [ - "[variables('_parserId1')]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", - "kind": "Parser", - "version": "[variables('parserVersion1')]", - "source": { - "kind": "Solution", - "name": "Digital Guardian Data Loss Prevention", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "DigitalGuardianWorkbook Workbook with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Sets the time name for analysis" - }, - "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **DigitalGuardianDLPEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-DigitalGuardian-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"green\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"45\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| summarize count() by NetworkApplicationProtocol\",\"size\":3,\"title\":\"Network Protocols\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Data Connector Statistics\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr)\",\"size\":3,\"title\":\"IP Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcUserName)\\n| summarize dcount(SrcUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcIpAddr)\\n| summarize dcount(SrcIpAddr)\",\"size\":3,\"title\":\"Hosts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(IncidentId)\\n| summarize dcount(IncidentId)\",\"size\":3,\"title\":\"Total Incidents\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"customWidth\":\"20\",\"name\":\"group - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Source Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"cat\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"35\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(SrcUserName)\\n| summarize count() by SrcUserName\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"35\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(http_url)\\n| extend u = parse_url(http_url)\\n| extend Domain = tostring(u.Host)\\n| summarize count() by Domain\\n| project Domain, EventCount=count_\",\"size\":3,\"title\":\"Top domains\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10}},\"customWidth\":\"30\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\n| where isnotempty(DstUserName)\\n| summarize f = makeset(inspected_document) by DstUserName\\n| project Email = DstUserName, Files = f, FileCount = array_length(f)\",\"size\":0,\"title\":\"Top Recipients\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalMailsReceived\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"40\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(inspected_document)\\r\\n| order by TimeGenerated\\r\\n| project File=inspected_document, User=SrcUserName, Policy=MatchedPolicies\",\"size\":0,\"title\":\"Inspected files\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total Bytes (KB)\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TrafficVolume(MB)\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"55\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DigitalGuardianDLPEvent\\r\\n| where isnotempty(IncidentStatus)\\r\\n| extend inc_act = split(IncidentStatus, ',')\\r\\n| where inc_act has 'New'\\r\\n| order by TimeGenerated\\r\\n| project TimeGenerated, User=SrcUserName, File=inspected_document, MatchedPolicies\\r\\n\",\"size\":0,\"title\":\"New Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-DigitalGuardianWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", - "properties": { - "description": "@{workbookKey=DigitalGuardianWorkbook; logoFileName=Azure_Sentinel.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=DigitalGuardianDLP; templateRelativePath=DigitalGuardian.json; subtitle=; provider=Digital Guardian}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", - "source": { - "kind": "Solution", - "name": "Digital Guardian Data Loss Prevention", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "DigitalGuardianDLPEvent", - "kind": "DataType" - }, - { - "contentId": "DigitalGuardianDLP", - "kind": "DataConnector" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId1')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook1-name')]", - "contentProductId": "[variables('_workbookcontentProductId1')]", - "id": "[variables('_workbookcontentProductId1')]", - "version": "[variables('workbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { "description": "DigitalGuardianClassifiedDataInsecureTransfer_AnalyticalRules Analytics Rule with template version 3.0.0", @@ -866,22 +331,22 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -891,7 +356,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Analytics Rule 1", + "description": "Digital Guardian Data Loss Prevention Analytics Rule 1", "parentId": "[variables('analyticRuleId1')]", "contentId": "[variables('_analyticRulecontentId1')]", "kind": "AnalyticsRule", @@ -979,13 +444,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -995,7 +460,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Analytics Rule 2", + "description": "Digital Guardian Data Loss Prevention Analytics Rule 2", "parentId": "[variables('analyticRuleId2')]", "contentId": "[variables('_analyticRulecontentId2')]", "kind": "AnalyticsRule", @@ -1083,13 +548,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1099,7 +564,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Analytics Rule 3", + "description": "Digital Guardian Data Loss Prevention Analytics Rule 3", "parentId": "[variables('analyticRuleId3')]", "contentId": "[variables('_analyticRulecontentId3')]", "kind": "AnalyticsRule", @@ -1187,13 +652,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1203,7 +668,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Analytics Rule 4", + "description": "Digital Guardian Data Loss Prevention Analytics Rule 4", "parentId": "[variables('analyticRuleId4')]", "contentId": "[variables('_analyticRulecontentId4')]", "kind": "AnalyticsRule", @@ -1291,13 +756,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1307,7 +772,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Analytics Rule 5", + "description": "Digital Guardian Data Loss Prevention Analytics Rule 5", "parentId": "[variables('analyticRuleId5')]", "contentId": "[variables('_analyticRulecontentId5')]", "kind": "AnalyticsRule", @@ -1395,13 +860,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1411,7 +876,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Analytics Rule 6", + "description": "Digital Guardian Data Loss Prevention Analytics Rule 6", "parentId": "[variables('analyticRuleId6')]", "contentId": "[variables('_analyticRulecontentId6')]", "kind": "AnalyticsRule", @@ -1499,13 +964,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1515,7 +980,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Analytics Rule 7", + "description": "Digital Guardian Data Loss Prevention Analytics Rule 7", "parentId": "[variables('analyticRuleId7')]", "contentId": "[variables('_analyticRulecontentId7')]", "kind": "AnalyticsRule", @@ -1603,13 +1068,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1619,7 +1084,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Analytics Rule 8", + "description": "Digital Guardian Data Loss Prevention Analytics Rule 8", "parentId": "[variables('analyticRuleId8')]", "contentId": "[variables('_analyticRulecontentId8')]", "kind": "AnalyticsRule", @@ -1707,13 +1172,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1723,7 +1188,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Analytics Rule 9", + "description": "Digital Guardian Data Loss Prevention Analytics Rule 9", "parentId": "[variables('analyticRuleId9')]", "contentId": "[variables('_analyticRulecontentId9')]", "kind": "AnalyticsRule", @@ -1811,13 +1276,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1827,7 +1292,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Analytics Rule 10", + "description": "Digital Guardian Data Loss Prevention Analytics Rule 10", "parentId": "[variables('analyticRuleId10')]", "contentId": "[variables('_analyticRulecontentId10')]", "kind": "AnalyticsRule", @@ -1883,7 +1348,7 @@ { "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "name": "DigitalGuardianDLP_Hunting_Query_1", + "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_1", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", @@ -1912,7 +1377,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Hunting Query 1", + "description": "Digital Guardian Data Loss Prevention Hunting Query 1", "parentId": "[variables('huntingQueryId1')]", "contentId": "[variables('_huntingQuerycontentId1')]", "kind": "HuntingQuery", @@ -1968,7 +1433,7 @@ { "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "name": "DigitalGuardianDLP_Hunting_Query_2", + "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_2", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", @@ -1997,7 +1462,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Hunting Query 2", + "description": "Digital Guardian Data Loss Prevention Hunting Query 2", "parentId": "[variables('huntingQueryId2')]", "contentId": "[variables('_huntingQuerycontentId2')]", "kind": "HuntingQuery", @@ -2053,7 +1518,7 @@ { "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "name": "DigitalGuardianDLP_Hunting_Query_3", + "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_3", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", @@ -2082,7 +1547,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Hunting Query 3", + "description": "Digital Guardian Data Loss Prevention Hunting Query 3", "parentId": "[variables('huntingQueryId3')]", "contentId": "[variables('_huntingQuerycontentId3')]", "kind": "HuntingQuery", @@ -2138,7 +1603,7 @@ { "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "name": "DigitalGuardianDLP_Hunting_Query_4", + "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_4", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", @@ -2167,7 +1632,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Hunting Query 4", + "description": "Digital Guardian Data Loss Prevention Hunting Query 4", "parentId": "[variables('huntingQueryId4')]", "contentId": "[variables('_huntingQuerycontentId4')]", "kind": "HuntingQuery", @@ -2223,7 +1688,7 @@ { "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "name": "DigitalGuardianDLP_Hunting_Query_5", + "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_5", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", @@ -2252,7 +1717,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Hunting Query 5", + "description": "Digital Guardian Data Loss Prevention Hunting Query 5", "parentId": "[variables('huntingQueryId5')]", "contentId": "[variables('_huntingQuerycontentId5')]", "kind": "HuntingQuery", @@ -2308,7 +1773,7 @@ { "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "name": "DigitalGuardianDLP_Hunting_Query_6", + "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_6", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", @@ -2337,7 +1802,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Hunting Query 6", + "description": "Digital Guardian Data Loss Prevention Hunting Query 6", "parentId": "[variables('huntingQueryId6')]", "contentId": "[variables('_huntingQuerycontentId6')]", "kind": "HuntingQuery", @@ -2393,7 +1858,7 @@ { "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "name": "DigitalGuardianDLP_Hunting_Query_7", + "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_7", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", @@ -2422,7 +1887,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Hunting Query 7", + "description": "Digital Guardian Data Loss Prevention Hunting Query 7", "parentId": "[variables('huntingQueryId7')]", "contentId": "[variables('_huntingQuerycontentId7')]", "kind": "HuntingQuery", @@ -2478,7 +1943,7 @@ { "type": "Microsoft.OperationalInsights/savedSearches", "apiVersion": "2022-10-01", - "name": "DigitalGuardianDLP_Hunting_Query_8", + "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_8", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", @@ -2507,7 +1972,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Hunting Query 8", + "description": "Digital Guardian Data Loss Prevention Hunting Query 8", "parentId": "[variables('huntingQueryId8')]", "contentId": "[variables('_huntingQuerycontentId8')]", "kind": "HuntingQuery", @@ -2547,42 +2012,206 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName9')]", + "name": "[variables('huntingQueryTemplateSpecName9')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "DigitalGuardianRareUrls_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion9')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_9", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Digital Guardian - Rare Urls", + "category": "Hunting Queries", + "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(http_url)\n| summarize count() by SrcUserName, http_url\n| order by count_ asc\n| top 10 by count_\n| extend AccountCustomEntity = SrcUserName\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches for rare Urls." + }, + { + "name": "tactics", + "value": "Exfiltration" + }, + { + "name": "techniques", + "value": "T1048" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]", + "properties": { + "description": "Digital Guardian Data Loss Prevention Hunting Query 9", + "parentId": "[variables('huntingQueryId9')]", + "contentId": "[variables('_huntingQuerycontentId9')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion9')]", + "source": { + "kind": "Solution", + "name": "Digital Guardian Data Loss Prevention", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId9')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Rare Urls", + "contentProductId": "[variables('_huntingQuerycontentProductId9')]", + "id": "[variables('_huntingQuerycontentProductId9')]", + "version": "[variables('huntingQueryVersion9')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName10')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "DigitalGuardianUrlByUser_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion10')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Digital_Guardian_Data_Loss_Prevention_Hunting_Query_10", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Digital Guardian - Urls used", + "category": "Hunting Queries", + "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(http_url)\n| project SrcUserName, DstUserName, URL=http_url, MatchedPolicies\n| extend AccountCustomEntity = SrcUserName\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches for URLs used." + }, + { + "name": "tactics", + "value": "Exfiltration" + }, + { + "name": "techniques", + "value": "T1048" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]", + "properties": { + "description": "Digital Guardian Data Loss Prevention Hunting Query 10", + "parentId": "[variables('huntingQueryId10')]", + "contentId": "[variables('_huntingQuerycontentId10')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion10')]", + "source": { + "kind": "Solution", + "name": "Digital Guardian Data Loss Prevention", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId10')]", + "contentKind": "HuntingQuery", + "displayName": "Digital Guardian - Urls used", + "contentProductId": "[variables('_huntingQuerycontentProductId10')]", + "id": "[variables('_huntingQuerycontentProductId10')]", + "version": "[variables('huntingQueryVersion10')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianRareUrls_HuntingQueries Hunting Query with template version 3.0.0", + "description": "DigitalGuardianDLPEvent Data Parser with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion9')]", + "contentVersion": "[variables('parserVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", + "name": "[variables('_parserName1')]", "apiVersion": "2022-10-01", - "name": "DigitalGuardianDLP_Hunting_Query_9", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Digital Guardian - Rare Urls", - "category": "Hunting Queries", - "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(http_url)\n| summarize count() by SrcUserName, http_url\n| order by count_ asc\n| top 10 by count_\n| extend AccountCustomEntity = SrcUserName\n", + "displayName": "DigitalGuardianDLP Data Parser", + "category": "Microsoft Sentinel Parser", + "functionAlias": "DigitalGuardianDLPEvent", + "query": "Syslog\n| where SyslogMessage contains 'managed_device_id' and SyslogMessage contains 'number_of_incidents'\n| mv-apply ExtractedFields = extract_all(@'\\s(?P[a-zA-Z0-9-_]+)=\\\"?(?P[a-zA-Z0-9-_:/@.,#{}>< ]+)\\\"?', dynamic([\"key\",\"value\"]), SyslogMessage) on (\n project packed = pack(tostring(ExtractedFields[0]), tostring(ExtractedFields[1]))\n | summarize bag = make_bag(packed)\n)\n| evaluate bag_unpack(bag)\n| extend EventEndTime=todatetime(timestamp)\n| project-away timestamp\n| project-rename DvcAvtion=action_taken\n , DstUserName=destination\n , DstIpAddr=destination_ip\n , DstPortNumber=destination_port\n , IncidentId=incident_id\n , IncidentStatus=incident_status\n , IncidentsUrl=incidents_url\n , MatchedPolicies=matched_policies_by_severity\n , EventCount=number_of_incidents\n , NetworkApplicationProtocol=protocol\n , SrcUserName=source\n , SrcIpAddr=source_ip\n , SrcPortNumber=source_port\n", + "functionParameters": "", "version": 2, "tags": [ { "name": "description", - "value": "Query searches for rare Urls." - }, - { - "name": "tactics", - "value": "Exfiltration" - }, - { - "name": "techniques", - "value": "T1048" + "value": "" } ] } @@ -2590,16 +2219,18 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "dependsOn": [ + "[variables('_parserId1')]" + ], "properties": { - "description": "DigitalGuardianDLP Hunting Query 9", - "parentId": "[variables('huntingQueryId9')]", - "contentId": "[variables('_huntingQuerycontentId9')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion9')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", "source": { - "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", + "kind": "Solution", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2621,67 +2252,248 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId9')]", - "contentKind": "HuntingQuery", - "displayName": "Digital Guardian - Rare Urls", - "contentProductId": "[variables('_huntingQuerycontentProductId9')]", - "id": "[variables('_huntingQuerycontentProductId9')]", - "version": "[variables('huntingQueryVersion9')]" + "contentId": "[variables('_parserContentId1')]", + "contentKind": "Parser", + "displayName": "DigitalGuardianDLP Data Parser", + "contentProductId": "[variables('_parsercontentProductId1')]", + "id": "[variables('_parsercontentProductId1')]", + "version": "[variables('parserVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('_parserName1')]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "DigitalGuardianDLP Data Parser", + "category": "Microsoft Sentinel Parser", + "functionAlias": "DigitalGuardianDLPEvent", + "query": "Syslog\n| where SyslogMessage contains 'managed_device_id' and SyslogMessage contains 'number_of_incidents'\n| mv-apply ExtractedFields = extract_all(@'\\s(?P[a-zA-Z0-9-_]+)=\\\"?(?P[a-zA-Z0-9-_:/@.,#{}>< ]+)\\\"?', dynamic([\"key\",\"value\"]), SyslogMessage) on (\n project packed = pack(tostring(ExtractedFields[0]), tostring(ExtractedFields[1]))\n | summarize bag = make_bag(packed)\n)\n| evaluate bag_unpack(bag)\n| extend EventEndTime=todatetime(timestamp)\n| project-away timestamp\n| project-rename DvcAvtion=action_taken\n , DstUserName=destination\n , DstIpAddr=destination_ip\n , DstPortNumber=destination_port\n , IncidentId=incident_id\n , IncidentStatus=incident_status\n , IncidentsUrl=incidents_url\n , MatchedPolicies=matched_policies_by_severity\n , EventCount=number_of_incidents\n , NetworkApplicationProtocol=protocol\n , SrcUserName=source\n , SrcIpAddr=source_ip\n , SrcPortNumber=source_port\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "dependsOn": [ + "[variables('_parserId1')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", + "source": { + "kind": "Solution", + "name": "Digital Guardian Data Loss Prevention", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName10')]", + "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DigitalGuardianUrlByUser_HuntingQueries Hunting Query with template version 3.0.0", + "description": "Digital Guardian Data Loss Prevention data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion10')]", + "contentVersion": "[variables('dataConnectorVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "DigitalGuardianDLP_Hunting_Query_10", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", + "kind": "GenericUI", "properties": { - "eTag": "*", - "displayName": "Digital Guardian - Urls used", - "category": "Hunting Queries", - "query": "DigitalGuardianDLPEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(http_url)\n| project SrcUserName, DstUserName, URL=http_url, MatchedPolicies\n| extend AccountCustomEntity = SrcUserName\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query searches for URLs used." + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Digital Guardian Data Loss Prevention", + "publisher": "Digital Guardian", + "descriptionMarkdown": "[Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "DigitalGuardianDLPEvent", + "baseQuery": "DigitalGuardianDLPEvent" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Clients (Source IP)", + "query": "DigitalGuardianDLPEvent\n | where notempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "Syslog (DigitalGuardianDLPEvent)", + "lastDataReceivedQuery": "DigitalGuardianDLPEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "DigitalGuardianDLPEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false }, - { - "name": "tactics", - "value": "Exfiltration" + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "write permission is required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] }, - { - "name": "techniques", - "value": "T1048" - } - ] + "instructionSteps": [ + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "Follow these steps to configure Digital Guardian to forward logs via Syslog:\n\n1.1. Log in to the Digital Guardian Management Console.\n\n1.2. Select **Workspace** > **Data Export** > **Create Export**.\n\n1.3. From the **Data Sources** list, select **Alerts** or **Events** as the data source.\n\n1.4. From the **Export type** list, select **Syslog**.\n\n1.5. From the **Type list**, select **UDP** or **TCP** as the transport protocol.\n\n1.6. In the **Server** field, type the IP address of your Remote Syslog server.\n\n1.7. In the **Port** field, type 514 (or other port if your Syslog server was configured to use non-default port).\n\n1.8. From the **Severity Level** list, select a severity level.\n\n1.9. Select the **Is Active** check box.\n\n1.9. Click **Next**.\n\n1.10. From the list of available fields, add Alert or Event fields for your data export.\n\n1.11. Select a Criteria for the fields in your data export and click **Next**.\n\n1.12. Select a group for the criteria and click **Next**.\n\n1.13. Click **Test Query**.\n\n1.14. Click **Next**.\n\n1.15. Save the data export.", + "title": "1. Configure Digital Guardian to forward logs via Syslog to remote server where you will install the agent." + }, + { + "description": "Install the agent on the Server to which the logs will be forwarded.\n\n> Logs on Linux or Windows servers are collected by **Linux** or **Windows** agents.", + "instructions": [ + { + "parameters": { + "title": "Choose where to install the Linux agent:", + "instructionSteps": [ + { + "title": "Install agent on Azure Linux Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Linux Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. Install and onboard the agent for Linux or Windows" + }, + { + "instructions": [ + { + "parameters": { + "title": "Choose where to install the Windows agent:", + "instructionSteps": [ + { + "title": "Install agent on Azure Windows Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Windows Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table.", + "title": "3. Check logs in Microsoft Sentinel" + } + ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { - "description": "DigitalGuardianDLP Hunting Query 10", - "parentId": "[variables('huntingQueryId10')]", - "contentId": "[variables('_huntingQuerycontentId10')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion10')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", "source": { "kind": "Solution", "name": "Digital Guardian Data Loss Prevention", @@ -2706,12 +2518,200 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId10')]", - "contentKind": "HuntingQuery", - "displayName": "Digital Guardian - Urls used", - "contentProductId": "[variables('_huntingQuerycontentProductId10')]", - "id": "[variables('_huntingQuerycontentProductId10')]", - "version": "[variables('huntingQueryVersion10')]" + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Digital Guardian Data Loss Prevention", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Digital Guardian Data Loss Prevention", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Digital Guardian Data Loss Prevention", + "publisher": "Digital Guardian", + "descriptionMarkdown": "[Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "DigitalGuardianDLPEvent", + "baseQuery": "DigitalGuardianDLPEvent" + } + ], + "dataTypes": [ + { + "name": "Syslog (DigitalGuardianDLPEvent)", + "lastDataReceivedQuery": "DigitalGuardianDLPEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "DigitalGuardianDLPEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Top 10 Clients (Source IP)", + "query": "DigitalGuardianDLPEvent\n | where notempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "write permission is required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "Follow these steps to configure Digital Guardian to forward logs via Syslog:\n\n1.1. Log in to the Digital Guardian Management Console.\n\n1.2. Select **Workspace** > **Data Export** > **Create Export**.\n\n1.3. From the **Data Sources** list, select **Alerts** or **Events** as the data source.\n\n1.4. From the **Export type** list, select **Syslog**.\n\n1.5. From the **Type list**, select **UDP** or **TCP** as the transport protocol.\n\n1.6. In the **Server** field, type the IP address of your Remote Syslog server.\n\n1.7. In the **Port** field, type 514 (or other port if your Syslog server was configured to use non-default port).\n\n1.8. From the **Severity Level** list, select a severity level.\n\n1.9. Select the **Is Active** check box.\n\n1.9. Click **Next**.\n\n1.10. From the list of available fields, add Alert or Event fields for your data export.\n\n1.11. Select a Criteria for the fields in your data export and click **Next**.\n\n1.12. Select a group for the criteria and click **Next**.\n\n1.13. Click **Test Query**.\n\n1.14. Click **Next**.\n\n1.15. Save the data export.", + "title": "1. Configure Digital Guardian to forward logs via Syslog to remote server where you will install the agent." + }, + { + "description": "Install the agent on the Server to which the logs will be forwarded.\n\n> Logs on Linux or Windows servers are collected by **Linux** or **Windows** agents.", + "instructions": [ + { + "parameters": { + "title": "Choose where to install the Linux agent:", + "instructionSteps": [ + { + "title": "Install agent on Azure Linux Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Linux Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. Install and onboard the agent for Linux or Windows" + }, + { + "instructions": [ + { + "parameters": { + "title": "Choose where to install the Windows agent:", + "instructionSteps": [ + { + "title": "Install agent on Azure Windows Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Windows Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table.", + "title": "3. Check logs in Microsoft Sentinel" + } + ], + "id": "[variables('_uiConfigId1')]", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution." + } } }, { @@ -2733,7 +2733,7 @@ "parentId": "[variables('_solutionId')]", "source": { "kind": "Solution", - "name": "DigitalGuardianDLP", + "name": "Digital Guardian Data Loss Prevention", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2749,16 +2749,6 @@ "dependencies": { "operator": "AND", "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "Parser", - "contentId": "[variables('_parserContentId1')]", - "version": "[variables('parserVersion1')]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", @@ -2863,6 +2853,16 @@ "kind": "HuntingQuery", "contentId": "[variables('_huntingQuerycontentId10')]", "version": "[variables('huntingQueryVersion10')]" + }, + { + "kind": "Parser", + "contentId": "[variables('_parserContentId1')]", + "version": "[variables('parserVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" } ] }, diff --git a/Solutions/DigitalGuardianDLP/ReleaseNotes.md b/Solutions/DigitalGuardianDLP/ReleaseNotes.md new file mode 100644 index 00000000000..08b548cf89d --- /dev/null +++ b/Solutions/DigitalGuardianDLP/ReleaseNotes.md @@ -0,0 +1,5 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 09-10-2023 | **Hunting Query** issue Fixed | + + diff --git a/Solutions/DigitalGuardianDLP/SolutionMetadata.json b/Solutions/DigitalGuardianDLP/SolutionMetadata.json index 5437bd59965..ad8f69f8440 100644 --- a/Solutions/DigitalGuardianDLP/SolutionMetadata.json +++ b/Solutions/DigitalGuardianDLP/SolutionMetadata.json @@ -4,7 +4,7 @@ "firstPublishDate": "2021-07-23", "providers": ["Digital Guardian"], "categories": { - "domains" : ["Security – Information Protection"] + "domains" : ["Security - Information Protection"] }, "support": { "name": "Microsoft Corporation", From a41b8f533ac031392b168958de414325c6b268ef Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Mon, 9 Oct 2023 18:25:24 +0530 Subject: [PATCH 4/5] update mainTemplate and zip --- .../DigitalGuardianDLP/Package/3.0.0.zip | Bin 16474 -> 16474 bytes .../Package/mainTemplate.json | 2 +- .../Workbooks/DigitalGuardian.json | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/DigitalGuardianDLP/Package/3.0.0.zip b/Solutions/DigitalGuardianDLP/Package/3.0.0.zip index 070b5fb1ef02c8389550710d295480a919bf70dd..873c19dca36e57955e62d62916c7d384ea6b0315 100644 GIT binary patch delta 1257 zcmV6E#9G&2zhwj zy9br2U740K#9bsIlU`n0#j0ARXx7(%OfRy*ItPp9=3Ne9YGaee7bZ7we!%{iu*<3B zI{aBcGb3z)bJ8_EaWB!;T_lf}w^WVca5#|J=RWNOTBDhQC?QVHI;5e2o!OHk7$koH z_BG}xop*nK1GG_mH%%-)_omatTz{|>R$_7)zGuNWy>#81<$*R>KCZp`N! zic&_U)`H3sOqhi1j==e@ufywW|9{a8rk4_pB_u*u0T8mg5jq8LU-5Kh)=c3j`sYPWAUdb#$kL`#Yn=Nf z6~%#vTg>i*Ip&kHbEV@BIHZcx(32z?Clzt{ljKmc@6bCEQ_DP?&!=AU_=i=KU>PJa zM?X74I3Kk!{g$giT#p6r)Rvj8Sq?W}xT4D#B#-F(I-)7WLjxxXOUb#jUgQUKDU-Ds zQUX)*lL;Co0!tf{F&e7^OA(Xa8W#a`llB@%A5F4;T7=VNELow-MGJJAr+Mxq-8wmA3>FOYRadUeMo90rtZEBlHp;c{F!9O8#Vcfv-3W z@!h8>p}!WB)Eg=R8I%7T`G4c;++`%9Z5`Q`G1h6iuYBjzNuly6 zWxJrHtf}b4o(A^G3`Zbux-Bfj=6_{^toGdZkOAUl=5!1<*uD{M;~un6*KR0 z|DR~%56Di&L3qbDN2R8z?@20OsBTf}vPG=(cFcTtRfj!VD&338+bE8iv*er3oQK%q zod1Fw-Ml)5VLeFV24_cGx{vpyyh*npS^K80@;;NF9T=qs)I7^ZvMKc%I7uhKL{Y zy)GYmfwzApPrN!W_ZI;9ZDd;+voUWA9xH7jP1%#E!3SnRglw-juZ@E9RZZOZ)1#F( zL?N!UiTI`#v3UC^X#~lB|Cz5>CU71L1VV9tg7s7W8>}6LNq^_HyEN!|5CR8oFju!9 zk*zR65DL4f4bSh-z2YY5q>tlrA04%K3sFL7f@Bl!ko;ozvv+3#xxiavx_`A-+q{#= z9youu0bVx*kBmmJ1HS%}$PJJC9j@;*&sphB0bgsBDe|NPbjfCQ1$pc57JNt0&v;)q z#QgPle`l?i-xT5rSS75<>3s+93eT#HtMc>UJN_O}@@aoY#{_ zAwdB?lZheP0c4Y8A~6=jrqfIaIz@{7^xALDP<7q3mYtMB&$Fu{Aprsl>9fuwLmUkZ TlSx<3rv`~dGynj+lO8}k|7Kwo delta 1257 zcmV6Ez+TsNO*YN zy9a%#QJIP{1YIN{lU`n$#HyO4Xw%n!OfRyLItO#+wq1^2YG9Mb7bZ7ke!%{iu*<3B zI{aCHG9zrka?&+DZZFZ*T_n$zw^WVca5#|J=RWNOTBB)#C?QS`I;3%d9oUm27$kq_ z^)==wop*nK1GG_mH%%-)_omatTz|0qRbp}(zGsm*y>#81N! zic&_U)`H3sOqhi1j==M-ufywW|9{a8=9Ur-BqTyt0T8mg5jq7|U-2Y5#q!>bLHa2aR^WE`=?CW2x61j7%>{gYMlEe z6~%!kTg>i*Ip&kHbEV@BIHZcxxRWFqClzb>ljKmc@6bCEQ_DP?&!=AU?1v?jU>PJa z=RP|>I3Kk!{g$giT#p6r)Rvj8Spqj-wW7-yB#-FJI->c*LjxxXOUa?LUgQUK9h0>g zQUdewlL;Co0?QebF&e7^%MX*@8W#a@llB@%AI-3ST7=VNELoMxMGJJABz@@}KFL`? z>oY(X2WkCylUy50E~NiIxq-8wWw!(qOYRadUeF&;0rtZEBlHp;c{F!9O8#Vcfv-3W z@!h8>p+6Oq)Eg=R7L)%Q`G4K&++`%9JssJ8G1h6i-HS0~dqRMEvas3qu6*0mNuly6 zWm}-6tf}b4o(A^G3`Zbux+g5(A9bAUjJbz_^tt=qs)I4^ZvMKc%I7uhKL{Y zy)GYmfwzApPrN!W_viokZDjixvoUWA9xLr1P1%#E!3SnRglwZXuZ@E9RZZOZyQ7sh zL?N!UgZQQvv3Q#(X#~lB{F$#;CU71L1VV9tfAv%T1FRi|Nq^+EyEN!|5CR8oFju!< zkgYI55DL4f4bSh-z2Xk&q>tlrA04%K3sFL7f@Bl!ko;Wtvv+3#xxiavx_Px%+qsj- z9yotj0bVx*kBmmJ{k{H%$PJJC9j3s+93eT#HtMc36JN^<-@@aoOhE) zAwdB Date: Mon, 9 Oct 2023 18:27:47 +0530 Subject: [PATCH 5/5] corrected domain info in mainTemplate --- .../DigitalGuardianDLP/Package/3.0.0.zip | Bin 16474 -> 16468 bytes .../Package/mainTemplate.json | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/DigitalGuardianDLP/Package/3.0.0.zip b/Solutions/DigitalGuardianDLP/Package/3.0.0.zip index 873c19dca36e57955e62d62916c7d384ea6b0315..21e3987900027b25111dc29bb99940613d9d1a02 100644 GIT binary patch delta 7362 zcmY+JWmHt(+pvf31_^1TJEcQVQVHp91_5bCY7X7fDd|uGBA|riP*OvOARW?3&CvDm z`>*%Qdp@4E_gUB4*Ij#^`4F_}5VTrD0&?p#bt6q3D@_G45U2%$4k81k2`f_k2qd_o z27soIY`Xx~zpJkPYk6B4mq2L-i2Kd!)QR5F;lPE_sbco|^$79?7-fIp@JdHyJSJWU zrkb!L_;{p*ACJpCvhrFUHjqj=x_`kJIhAf_muIkOwMspizfq1;r%K{9SG)8YllLDG zfB0ji=AO_{Jy|q;)4o80cVIB6FpJ^>h`u!$I3|J$tj>>BDb%>Re+~CvT%i0@?~432 zBQiGg+L7D&pd6_ZcFD^yDfKkZ?wWooT2rcQOgQ*OTH@}$^b}+cz3fQG`FuEA-gi3s zYf6jZ8w#z$M&W*xRGGHGc6P_PXz&&P(zB`ZmriG3d1u^Au|oZoN#@f}OP{Y20s4`P zcCh?4w21o6Im4zO^B&(H&ZP9|Bk4ceqHaz{4W>_)vM8$3-zi_N{qV+!$TE>Jw zL=jqUQmzc+^-cz@FbS;9dPXP8{LR`R_AX_BaQ%;KNEn-WX@l6RAw(vqR4mYO@w0T8 z%I`TV-g3M{orUZT;>U$q-itOj%{{l7mK+c;!O0$3%%mD0o=QbWsl{LMR%K>J8T2|@ z^piW*Je;?<7#tYnAwVB|1SX7KDVV1yJL;x1ZGx`L$X&4_j_x^3$$(`(H6iy!x?3vG zAhzcMOC*DJpET-*gVK8N#^&w&gh^Yf0&i8Gb3o`2QQ9fJ6>ph%HI(5uoOLNY`B4e9&!k#{&t8m07mz~GU0OLHOHu7e)Qp5+Y;8{Op8{0EG5h|}E@ww%P} zqZNDvmU{&5`H(N!S4G=bg(JWh^6K(W_H#%rm8Il@Z|VZ{%MaHqSv@_ti|cGUw^Vm@ zN9rs#3(0^IPu8sDC^TjR(X{4l9uBDXDn{FTM=B3J>mnJ*i9$@MN97g;T{F z(@s4gpX<@FW+|~rviQ*SqvO&^i7jKEe!WM>nlsQ$9(ZZipk9t`d;njD7`kSrMy0zm ziT}u9t$ul8>AR@XYq1mfL;^dpx0U2e-%ksHUw%+#{11zAreCvbT+miWz=vssw2u)t z`QNjS3#T1VO2SuMF%!?ab5b`v^`!uW=#uWxESNJjbI8=e{|nOF$HT*GFPp1hWlb+J z)=MjWyu=RHGOCi_7!oUO@JUXTLxUlQ+2vV9#uO$+soSuyZenaILW-mEPD>xEDVP?^ z6N-0+%T=+FiJAVGW`vJv#!__d$AB?Ih;eqoj6VpLS3z1?k9J)4P`^>y1bjZ??sDOj z((sUti<9qp{?$%Rs{{Ylh3yho$#i!%NiX$MyxT2PD+x3E?3H1gH6(}E9MUE_8-Ybu zIEiI4U&~B#ABJp2$DgDCc zoWN)Gem~#*f8D~pKc*}KTLFz8r#^@?jM<*Z_$=&`bsMT$Y6zig=_RG=-%xm(dX5s2 z5`6kqFA0GWc6=Q+@34ymA_Xq2_rrTs=EuM9Ba_-{M3^qN;69rm~iWu znN~SsRVwh#>I}K~1BgB`H+hLsmT)+bNl0BHByKFc!2kEBMe^HFH}PN?rN!^(Z_3io zt0D|47NHt#>3&N6oszK5I4)Az&9nke(j~$OpD`s0`{1A5L2PpB%)Tp`Y@}EvWKi0d z%%g6xIdzadtq3+;dL`y8Z%m~sTy!>M$~KPA?_$Sn<2N{50YEOyA48(EvZEC5zl6g& zkP#@N6=3$CS{BrnoCp4tbVA>+u&Cm5sf7kdwpBhAA=9BFo@K|1fnlg&29k`^C~$n6 zX;UnMLM-BtyB|g;=5E&eI|i#(TRvVMZJzlSDF9OAD?&Rf0Cc=YXl#HIg&o+>NZ>|NUi5 zc>xE{0m%z~16@$80|lLdsum^+v{E!ri#ctz>KPRG$=*&QL$+1Q=nI5BFi=)ek^pi- zPp!Ule$v55Y@K4}stWoms0tF(0@2GVpcM%L(*xv_DRw5hs@5y_~(bRaUdZuwT*A*lkIQn5p?>k zMkX)5kT5Js{YNapM=V`WizgxbGR>NK@=+OrsTw=pUg%hYSojNtK6T8; zqN?;?7ht8ABL6H*9vX)2Rkj7Z^u|$bwuq*O6s-~`Ql3`6?^jWD2Df1zhR8|g&t0yS zyw1Vp`WU^x9{lwHoc&IwyQAZEr`1&iuv7;%XZaMW+ZU;JC4ah(b|1j_dSdzgbvp=I z6Cf2)81ry)e5ci1K)kaph=Y2HeceAsf}(mtn}Z(w2iUIL%lvO-KYJBc*0Bi z5c~fSi4wBHE;;oVPRRT#5BH2OOi1BARaOtiAUS1bSq$b28pS|p5sId>OpE2&Kj6Wb zvRkWyK2d(aDp4MsEidU0y;ihYPT>w_meDa>61jgId_v^M8#i|_RG9`g>4V3i*UXPi z@ih}=RLa>7M#X+6D)h0@kp4H%k-T9D9;XjJc0TXs4xd_tDkqBQ=wO%Q`x`vBWi1k; zvBY->5jSU;Yz$}by!i~zrt${Rxox+9J%wRH`Q{4q=sV*N#-aCKV7N^^aD5B5vdKx| zp3e&YPv^J)be=!ztUnrm)cN`Dy!bzz67yrKA!neDX*11`{|ZL%qfOBL@;Bwn5$2%r zpo@-9^*8Vs(&!WR1b9;wsj;u%V{x}zZDD3IgWPg71D~Z+-B<<+Gv!x~rure=SsX^uJJIL&&zv|xjC*v)7#3ynXB&35@am)tS*FsL@DnINNqE6J04X`?%G z^UFR2=bVGE?Wgq=7cXbX!!b72m$M}8Jq4Cd%chR;?yiY|V~$|{XeMI2&LjD|vZKhg$7?`S)5&~c zpp(^YdAvef^#klBWp}>&@?NB!cbxKV8dC-8m@$r3 zgegk#64F+vLJ3m1)6feY)=EDsMkQ2|`#JT{29p-VR*IfviI2Q=fxkX>riB}jx`UG~ z)OUt>vUE%ltCfV#!m7?v8U$8}li$Uk_zP$@Qq7#`NF}|L;Uv?+#>}*NZFkeR&zJOl zveO&`>=ylpcf&!>v$(h47u5+oAu;OiB7Ts*-9N7Bfv*rf(5+e$EgP&ang=_GbmP*x$L1;_!n^)>S2tNj~nA;&0~xZ zO6y`EL=>HgpNW2S4k;$Gu1Ak^08P-*a2S5Yo0?g4vv(!6A<$yRj9mnl{+1naWYMej z#D}tdXraq*Y0sPZ@q5wX+ji6xLH&V7$NFUt8lCprorhW0Y_g}wcpNzvZ$DA|^`N8d z=+5yKWw8YGVFrvX&XrrN!XK(|VNm!@f;ff0aFNIPr#}i35@NttMBgiE$TD?pAgTR# zGS@+aM)3ar|85Dmkc>G6aM-+EwmcSZZ}Ib`JlWy4-I#3!@O#>K?sT?KkH&25JSFxy zx(Qxxd2Er~u2xCoh0hS(;S?TfV_5PSQ44mjXy}QiLpU=oI1M1}#|`9xt0uQ}$TVcr zbCf!vdk=^WfYkfF&ckTgtENt9kj29COcWRtR2RCIzG}FfNG(yjXCc$fmivnPe3gl3 zgdP%=9)V$3%osG$Yx69Qe^#|D-T^<&LAckXhmY>_Mn|>7WYBMOie;()Ch-lAV@K9lJd{yN0p=W^URN*)Kx!qAU^pETuYMr>jXodg2nxoQ zSuz|D`y#(dCMyc&Vx4rLSK2LWP?K2`ypUAksx8l1$zVRL+u0Lux#*rV%6MB&Tdnw4 zgxHq8))_{v7l-p%?nwX@f2pA-_)G8p)BeDKh9SR))Me^sw4KOb3bs_LyGL_tBVT42 z-v!ZT0fW;1IqegtB+JF!Lnq9iOeweJ_Hy`?_4<3{-Q~?Lv0!Am=*6kZ3aB*Lb*jcc z4h8TpL9?fR>nS+MGwO$mO54?43KVOf5;av^M~Hr^NQ~X*lGhQU_Y^ZqfccF)w@?B$ z0X--{)`uY2T|#LCH!ct|VJi^RnHs71oUYdd=x~Sz8C)Ozmi&ZCD#KBCL|pV|Fle8w zRt-h-z}?dGyt`2kmx8dVZP0^Yp6l2l;Fmx?;;3i}RiHzJrTJcoBI&nYtWWAD*U45@%qu1WS5m3EP|;OrFO_0w09#%V97xYYxE(<@>z-s{=eDStWL{odc| zg>1|^x06S52s_8EP}{$-ax1RFqwpu1TPjp44GiiJNJGWl`phVUDp}e>EIg75tR;7f z6{5zos_E*JTtrg(!v+}h-|4PSEVGz~GrrQXePy{GhRz|zMkM!Qg@T>V_O)>@Ky$6t z7eOda`)g$%yJYu#jzT< zK=Jbv>=1XLZ=ebAnv}F#d}jKoD{IFWMHnnicEVBcMnw##hHB*CvjSQFD~|9liQ1@e z#ImOJ4hu0cx%R+bPr;xO=e8I&FtmI~K+fbiVf!iOsmImz5Y8_BqBVB(YCLLNd5JQV z)hf{H&L_N9_laU!gmgIf2eV(btA&pGPR#*ixH#TeeWHY9ete9#)R4Fjr+vel1|94N zYR5P&4>1HR*acrm8L@X)^T+zJPlyTz30&D?tpcdEo~+bz+=XK^xyA^`0^dxuf2G#rL%w@Fh-*px zOI8Ku4@$9QZ|^mlf7{VEIN8y)#=8G^CHzki8r{wE(}Yf`tg}qD(TXH%Sf9QIR6aHH zH|qiJ?g+bt%p0@i*V~?d97^$b4XhD)KlnQc^Z93| z>FD+rt6#m$FCVd3S(>T@Y9TRFA0PH96Zp1pSG3xW@f7|hc_c=Z;vK%-(K^Dfm5GX{ zQE>mL=+-ATQ4Gd>4V3d8Q!Vpr(?FS0p5w{k&n@P@33iWa zrXH2BZtRa4?|g>8D=xDKv-YTd&x^3q*z~gcJNv>kTsj)=`u%%@s%jdKrnFQ)$q%bI z&MExSdZ#zF8C&420x?9M9&j%D<Rpr5K*By`psVHRBGN71ExM9zS6KsyO6`Ut(p7m{Q_QX zLqr?TRDWq%LbiP?ZAo1H_*iaf?I0{2kKQ1u<7ru^FYC`Q?&KQbc>C3CzkOqU1!d~q ztM?75)rd-T$^swD6WPb!+bB6YEEptzD{gWL|BlKt-4&N`78hj8FMH;o!hy$A5~Ht9 zRFO)aO7zn^e%CpT`meB|wjtOp^~J;@;czM$Dni%)R7rO-^ln;K^Lv*Q5|4jSG?nxF zD@$FO)7Uu2V#$UVg?hSq8Y!EMac?;j^f=NfEhCjrPRRj>R-@$0K zlkR~Bj2Hl0Gt&~wJ5;dPfig}IsRsN(6SxUC!-}r1$EilOe<^#Fk+`MML)-PlC1p*i zGjk{D8ppxkH>sNBRQ>gk>ffwDv5rNYOy0Lsmc0jGZXifDs>FI3ZN0TG0h$Sl;ct4^ z2b#Uv{8R_cV6uBm9W^+EP~G>(t)9KDqZ5a)R(2p$J3nYGNlB|5b_-Jd*h3b6fDsfK zPWYsJiHE6VoH3I$QFM@#FP@mggns&KaFB?US4yh|bIpEP?e9-^FJLE^!SWpak)vhQ zPS&lk!Jc2y;6u3lf=%IgjzY&z7BZ$rbcnn(avZ$1Qn>OB?2}&jH4d)TiH7ajcD%8W zK>(cMO(Z$VEMs-7gu8ztWsC5495Hi|`!>JEz|8+#diDHS)yZPsqi_B_e59B3s0)pTR{UOc?M8shA z1UzT3M8jX#$rG^fQobp-@%Imma7R&!$O!6aXuvpj5E(W#KGozB{a-zmJ==>55|-;Rk^UwN9(tOitN%XD%+NwCN?XXauX!3e|KXRYg9u=t`Fuy9(ugsTDQ{;#pBhwmcyc7xFmJsr_!HMqvfz=c^x-S(x949Zh;>zN`o3F1_-_8u zB9xZu=VbV;rVzgJ$1Th6 zm%4QD3{-nUas-SNnc5Q~fH*2SIF~JL0nlt$hrEren?AioFvRC?8zq!xZd)B1AIQRO z`5I&&y!vgouc+)QHm|Z|p2&>V&}j0H!58c1{Gq>$-}&EfCjJ^l^7iQ=kb)3CzXB`a zOw<2;5_QYtWP(6mlr$}VN5A&einl64?73hIWh`fyHEhpE1NgOG*J#;t?IE!f3CcGS zVT&HUNiC|Qi#R_%EEhvI1$Gg#CWcohzwblm%AZZCN*AzfzbS{uJ+C*y9`95Zdn;_) zgA3Qw_dKkhxos4nr8zRUm%7Yc0I g42~Oi~!GpUsPViu9+zC#AjZ1KMcL^SX1$SvYfe<{nOK`dUpK)K# zgUr; zV~2|`qgvURN=Xl0xx!N6bDF%j*$OIokQftMTZm4dsZ_ zj8)gNv-9=frb$U->@A|E_g76czJ;g_ozi^4oWzs|34opX827$8ag*ZdLvLC^24K4U!5I0ftvTOver{?{A1tmflwDTY zSOBF%A2T~hgf4Ax%-dv1d>H2qNIwAc+hujv@dZ3`nm^o>S!*O5q$mcAl2)rw)^=DluAYdZG3V-2d_6ZYd4bwj2N-XjZf>@u?%~MFV09Yn`a7a3Ql?jkd8FlcAgo?I!n7VtI z+TM#E!IGo<2+!IvRD#oWg_iyLb@>mopf;2)ch{NX-}XmS<|5lF?F>oZ)J*{ig82^_&oSiyG|o6|p7 z!{Ac@cyy_Ob?ZJ-#6^8|8fvTmK!aKS2Q*mN`b)f6-N8Q2d#X)JXw%?kBxRO%k}leS z2^B`e#&g44AqBfeg6Vd8;zvo+TPq!N&MSHD34bdU<6ZXuc&Tn{sor@f+>6-5UwJaX zcqcQ&uBC@Zbz!`_;N?uKZjLK}F}-!9kz`kz{>gE2#dry$KKDcf>L|Hj*b1g(ty&jobr?^j+>|w&bqGxi_58uHvN(~% zN^IBfMa*k#9l0`hCi;AUbwX{BKHl`cE!C=u1Ds|%*Yw`RrYasV?$xFOPvujC8F390 z-;Tc@w+kuL7PK~Go6wHl;Q%iNrn7aH9a&a+G|CI4tB?lMf*BWtS|Yowy$z}fC$t3y zv;*?n)@_FgBHQb8i$%tc#TN{}sQeGsm&1Aa{uyo=O)d|TNxWfdw8RsJE_a)KyT8~9 zqnNV{y;;fIfSabs1mBw0+%H?jWP7Wxb7Bk2WWQHLB^p&zt%_Y)C*%y7*k((uiaVfk zc`ZTFB1zfe;!G;kSu_xas?>QT!ZOE6UajSxvWUf^G2a>Tu1_DHESZn6j} zl`gg@zEh`onxZS|!S)fs4>=@vmi(a5du|>Z+|%12(AkjC30**oGq zq|Q=sh=q}vI>YP5oKJDOWQWGYmWHGS72O%gfJqOs++>n|(qG20Vzpc+my&*RD6$d` zi6W^0I=x!UA~X`twB@8nNgJw>1^RrdjGI$4%DP~|acM8P!+3lk@{XIZRyz)kFw$Z) zC>lZags%Pp;$}{dmPLc|$Q~htfNIU!V9mnw!1CPi`dRFr2B9$_ibJ77slGJ*LT#QJ z3NHUpbhVFD|G@@@j}Fqs(0BzEoYYsJoJ<7@r@s{@3}j2-I6Sx+40sl6>{fH9=zD<_ z5HJueZ-2Ls%>63u%MV_)sgF&K>?l;Zh2P0d&ORI4rO3j2U$v)N$DtqT+i7sn+ z_;-2W?N!R(MT9(yP=by-R6BH$hUTH&GihOc33vw_NvQb;_T#sgM|SGfyZ~`$rO7fd z?LI;|>~5t-&SU4H*jm~{6JFJavFuDca?%xx;W&OkShZi=?Z#WyV1`_)a&QCLDr>-G zLm4JOR*;kK*O9344JpkDPCR9_4Qav6$aE=XLJvF5`Glkl?-phzhtIIr+B=yk>dDkk zfRs*yH(?l3sEZVwem{DN$abXlR+R%NM`ZXBH`|3mVg7!71_{=2n+RTreUTsCZ0?!%RW?kbR@TXUPOe3P7h z`ZWa4!5ia*9&~Jl9u$Ed^dkdchGU2zKOlfBW``ls`@oRU;H-?(;Tn*F44?#XC(LlL zh*vaC= zM0Yhk@)Bs066;&Rw{@p<4qiYE?&-$Dx*3=gue51gE^(1Y|2}j8sI4FGh3-IAsC;)W zr{?*A2Lk?Wx!qJaHb-~CU!x_rZNAqL$~>uxiOo0__f9OLf+;My!4&+e6vsVcPBe|j zN*RK90n9bdq_?m`SBipVrKu&j3>(%vg0_-Qi7++iP#*9t1qh@`LujLE7KHetV9})% zh6twPSD@3J0i>V{UG}FNG|fkeJ2(t~`hsB1^D)Fy+HEc< zm9hc4qXIXduD88|8T=HH3$ag`dT#fJhkzX zaH``mc&A(PGBBAh`{o~5^R)=ZH3j2}4XY^*)Vu@<+7)(tn|qKPX(S&xBn93yDfL*C z0(X~6W*;+?xaLSqKrl_JVVVS8r#Tsxx+HZQKW|A~k%)!|bT1_I zy!d0kQCXO+Gi`7O^!FSZNY>#^_Ofitl=_3-ZNdTKxaGDsqAwEgSKOb;!a&il7w6Ba z9r}LS}Aorg`eaSacQ+N#d@QJ=yh3_OaeXz_;N&&p$8-N4Df=L$#41zfe z#IFjX>=6r~d3&amA%RE50#otzKWBkp&bkgR!-Y9Z!d5Z><}A;7)OHI?fd{Gm4%&eK zoD~Ku;C?6}>>r9C|NI}H#y1$6*AvUI7*hM9VbzQK&s7l)MOY0H6SBX(8jyS>uStMr ze{~v#<1QcB)ZPT-$C4C8pCr!Tu)sJGioMY=r9J_3@Xg6T7N0>Du?IY1-8s|U#2ItL z`5TrOE$e|Tu)Odrd3HoHz}~?8A%JuT(`aP`rqRZkqjA_eRzK?0_cP2~%j+1lMpCoh zJJA(_V5{4Yu(&{}!?IwID$MW^(Oc(X(8sigo2#K{&RqNG*O)tWeKK<0pI?W+0H*J@FEl-_ zqpc=E&V>2u-$?(zjSQLvBD^2S*HdtQII@*The=~+ME(^IgF?e#VACtB{MPQ5+`o8x zvJH>zA0GzsQ&&GG1@$krVySCXI%z|8@a++*Mv8`s-;!+v|M(})Jh{w2 zH;%v2f*GlVmT%Rq_?pDjzuc_9}?tSlfnLgaRpI!F_NW5-2K8>uz z0jq1m%lp7{#bR?#PEMKRHVEBE_4&#AXm9GDCqrEU2}J$YWU{^tCl1y7Bj~S1 zT{c1AKbt?>QQIMVeJ2A2>@AEeilD?O(P$@%rv)=rrK5A3%gt!ZU?30cExWrQE?jzt z`<*-TDbQCI`Y_a#u}1%UJQ4RO`+s{g&FCjymns*6Hqo_m z@>n*WY?SdV{bUIPUM{NSXuv>(NnwBiwT z>Ckgs8^{BhpL);!y2Pz)ukljR_+iR7|H$aCd}F6ci<&mSb1&%go9xkxk7NB%GSN5`<-Fu_fz_!I(*` z$p~iho8d)LUt-w^y($LCJn{0sRO?)1yq%JF=!rSE!|zEWbYV#}k=`F?BhfVSbk)sn z$t-K(C=2HX+hvi*aAYw4{&MM4nK@FNM~KFPjR0;gZw=V?JS?dt;?YMm%CWea^D$KW zqjcd05R3B+4V1Yy4E4NuHF|QmIP)IpA#c+U_AV0^B3wV%Fhb5(3scc5d|v>W7^pyL zYw23ICrQ*@UuH$B6A{ufLe*p+%(j=R230b$kHOo*+t!AFr-H39@*PrX%$msH?gKKH=s(@_gc0q44icO=V^HPCxW|EbVgE z_1X6wgO$OX+W2g9CPCmd!?Qdo@nGxcZ9o1$YD4KSBIpk1eOcmIq0Az`jGm>~NzOjk z0A~7kH&k;fx3xIStv<$U$juiDaMlP8Gxk3-c|6f({r?sR^LaXpg9?laP|It$vkeUg#dJQip+1AhJ_s-5_4B<2l8ToOm)T}BfeWTR;Lr+dwR zi9#RNsd5bBmp*x`S`bFOHJf9verf~t7`y@zeaA`@!fuT7-fL(S&hez$2&Z!wc1Nwd zWzpz2_YAmQD|^%l%@|)8iaGxkvVe84s(kRQyllel&l!&6^X7a1ljYNiKmfsjD6l>- zO7-;v{$3E*=bCpAPIYPN+>)3}FkNi7O5haG!oZpwpd^Rg97()M{v=zKwGB;7b~ShW z8#OSFa#7JE7 zgVb#O(*|zY-Ou-3m3v87^j}()$bfCu0Nj`>iMBn55`oTKZ?$WxLo3GFg_<8HMfPiq zs08~~O*ByYLXq9C@A2VVX~JZ~5JbP+n_Tu&$JDJAijLr#7{2q(o+Xguf^ZMQ=g|4l zmigfQh7{?qX|oYWMyPakdv#Ul)p*=;?*}9~1eqE<5$d@Sy~b0m#rmBT^#d7hS+yx7 z2NayZp7{7zN}P}?X}7hKd?>G+C*|?gZgY4JJ$WPR4BI=803o(&F4jfo%TR6q)!z-o z@syeMJ#Eug#E2SZGTbth9$H2F@TJMA(v+C;PIS2!peme)Pdgo@y*#8Gu5kP3GgIDq z%SdsEET?}^Vti$g(sR)~LILT_UE@|X&9YbL*wARyMhMZPGkkX5q)~f)IF{?``3oBHHNTZWy!kT)0R|+NhF6o z2M5q=+snVH-{gnFf{D{n;~cgc8!o|Ts2XkeGxD^i#A4Wp2vHUlQNSopU^vwkQUOcv z=W9wY!kek7zt&C7?ak;c*VI8Et}l^{QFnNaifA9hc+OYVj6A&w6;8MJEu1)iqc^nd zooDr~nDtoDr3GB!9AgR7yilbyevb~!L59rn*2vS};Z?&wJ1R6BIrcAX|6`3R>5$%C|%8j)21B$?VDWMG>Q0H+L8B~?KrP86lZIL z<}$2S;yBCE^An&Bp*cBmmf3pdFi@p;L*z0u@#W4Bb(q}1^T&Vfs?Vm={L8*K8z+QD zVTHpVUCEaj;%$Y6`C_NwnO;K@?8>8WE*1c?7}@H5b*qSCcA5NOYHi#fj|3DxCbZ#w z+=#~5v`EBR>+pBPTi?hM8xc&tE4y8@yufytTemy!ivUQIGtq83G@kLyU%m-wr>~&t zQLmu?N#b!qC&(8XIoe{Ej8bwx_LWaLdT}N~YIr;-#-HQKmlN^l4H5EvioCD8x^@1auGBO8V+{1>ZtlHQ~Sw}@!2AS-&_bJea4+fxcX(q|;0e4@7M!9ex%hXxs4c-(R zZFG9Jl&n_bE>3SlyR`uqmkCI0`lIoh+L7C`RVl_r8f2ojd8&s$kMq|82D$y}R~h-Q z6;mJ9SLeq89`7i!xK{{f6Bv3)~R>hc^ zUIvT<0ntM`3)eVj_82pa9bPlbUor-vY>_>xO-*TviY06UdAZw>%iPJ#^PiwC73vMd zyS60x{NOxo;DWF6VB0r~zEWWiLu<{=8z?J%@;F`~PzJN%3>@X%S@IrVp*VeNHGp1Y zN%UY~J6}Tj%`12b$_3wbrXr8++OlIu(aGxrzuwq5R`}&|eobj}V(MKWxU5zMIjE7% zj(N>15!)3N`~q7L$}1BJk5dQyQVl+mbJbd9AVMJ=HfA>b#q{&X>0n28Y+AZ$1>hJI zNUlK)&R^?C&nk1$SMP}bU5EW;&Yi97S7zyASG-4dNGg6314|N}Hj_Z9s)~}x29%?` zMAZ~;#6ZHZ=$kTzuRGriSV5CeVQ381R~dCz=ZbC&#q1w*3(d4r?kI+@{K+Wucuw5Y z0*0rGd?1^A_UBQJycw0OL~S2N9AGF0oO)`yxDchyil03)tQH?bQZ7MMAx2at5``5* zQ(mXbu4L7~ij{o7sA^&>bBm!(^rf;rm2=u4c`F4g{O0jnIXTh#$0k-}!Lr_RqNUW3 zVI7R$i7MufINZ$y#(BJjZgNVeU7qo;`&8Ns%IGt$`xj;V*xeWjbmXAtSKtK|PavJ6 z`_nFhnbAZhi|Jm{OEKbyUDWTNaEw`TjjBFtsmG~MO##7tA)G(yrb2@_XF>P4bC;LY z6rjI^*+dDWzdrMKFQL9+*O@n!JF9&3zM^N0Z!y-;-m3Hi$4Z5&4{nUMd(vAgju{t= zU4pvnQI!EL$Ma6N!Orp7Q=qGpF+wBHeWpAeM{OT9BqLa9iM zBS{#_kl!#VnrZ2(*?f61wm&Mr>lNHqcNG0ikCIS@JYjtg^6A6AhhHE@D|_aj0sw3G zG-sak20gE1`^tgf!h+rPs8|Oz&iZt9c`8{(@qVoO+yVh-26G^s0$Ah7OVNl56kGiS zy?CbfpARFYo#YGMz4SFz)L9Q-MH)Vg|0GyA1aWpUz(OGw()eEZxx#q&rCS zVahJ}=8vbA=ack=T)Zane{%0SGWvX*RKkR+aqy`+ru8F0=dkhB4g;oT{aaK9Az)&@y% z_9`+>IF5ubiSFZzMkTQkJ5-D_Br0#YBc)tQd=}DM@NMdTEobiqgMN} zrIDjk%S}69KVv6jriS$O;ziL1cf~bDTDX?3PKZS)zBKA4&g%Q2f!7LO`j2YJvct5& zO-;O2k2vIArAT_{P3%s?p#ctTvZNaF&VJe;z9xRB4K`UNlAdxCYh}}UXkHoCRASMq zn#NuT#G5Kae_<2{wB@Msd)68=eFMh~*nD67Mn3M|GeWBV-XBrLWbI|dmL>1idvjRl zoAIWr{GS$*`UPe+*Z#f#+;8k`2>(yG{GNNp>K`#;CdSz~=L+DyBa3YC?jPKBzG?3u z%W#pujI_1zSVFZT^p9_|>spET4%hyKn4#YN?C_~+lZIA#f~%P9WL`X=wl-r*E`@m8 zr#c*kjrgRZH8z&Om@k;{at6GRn5dsmab*)N<{-QK(bEZ>|5ds#xJW!2|HB<<$8ML4 m1F#xQR>Zs`6F~OI?s<|->5$a=-;a|iq*8(?y^?US@&5qDV<|HL diff --git a/Solutions/DigitalGuardianDLP/Package/mainTemplate.json b/Solutions/DigitalGuardianDLP/Package/mainTemplate.json index 3b60db25644..3afe782da3e 100644 --- a/Solutions/DigitalGuardianDLP/Package/mainTemplate.json +++ b/Solutions/DigitalGuardianDLP/Package/mainTemplate.json @@ -2872,7 +2872,7 @@ ], "categories": { "domains": [ - "Security – Information Protection" + "Security - Information Protection" ] } },