diff --git a/Solutions/Microsoft Defender XDR/Package/3.0.1.zip b/Solutions/Microsoft Defender XDR/Package/3.0.1.zip
index 668574f0117..d600832401d 100644
Binary files a/Solutions/Microsoft Defender XDR/Package/3.0.1.zip and b/Solutions/Microsoft Defender XDR/Package/3.0.1.zip differ
diff --git a/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json b/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json
index a9344ce50c1..7057ad4f034 100644
--- a/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json
+++ b/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json
@@ -124,7 +124,7 @@
"name": "workbook2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector."
+ "text": "A workbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through Microsoft Defender XDR Connector."
}
}
]
diff --git a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json
index da0d5c28d6b..d3211d028e3 100644
--- a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json
+++ b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json
@@ -69,90 +69,96 @@
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "analyticRuleVersion1": "1.0.1",
- "analyticRulecontentId1": "6c3a1258-bcdd-4fcd-b753-1a9bc826ce12",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
- "analyticRuleVersion2": "1.0.1",
- "analyticRulecontentId2": "53e936c6-6c30-4d12-8343-b8a0456e8429",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
- "analyticRuleVersion3": "1.0.1",
- "analyticRulecontentId3": "1bf6e165-5e32-420e-ab4f-0da8558a8be2",
- "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
- "analyticRuleVersion4": "1.0.5",
- "analyticRulecontentId4": "738702fd-0a66-42c7-8586-e30f0583f8fe",
- "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
- "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
- "analyticRuleVersion5": "1.0.4",
- "analyticRulecontentId5": "ce1e7025-866c-41f3-9b08-ec170e05e73e",
- "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
- "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
- "analyticRuleVersion6": "1.0.6",
- "analyticRulecontentId6": "a3c144f9-8051-47d4-ac29-ffb0c312c910",
- "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
- "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
- "analyticRuleVersion7": "1.1.2",
- "analyticRulecontentId7": "b6685757-3ed1-4b05-a5bd-2cacadc86c2a",
- "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
- "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
- "analyticRuleVersion8": "1.0.2",
- "analyticRulecontentId8": "1785d372-b9fe-4283-96a6-3a1d83cabfd1",
- "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
- "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
- "analyticRuleVersion9": "1.0.2",
- "analyticRulecontentId9": "3bd33158-3f0b-47e3-a50f-7c20a1b88038",
- "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
- "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
- "analyticRuleVersion10": "1.0.0",
- "analyticRulecontentId10": "26e81021-2de6-4442-a74a-a77885e96911",
- "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
- "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
- "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
- "huntingQueryVersion1": "1.1.0",
- "huntingQuerycontentId1": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06808",
- "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
- "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
- "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
- "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
- "huntingQueryVersion2": "1.1.0",
- "huntingQuerycontentId2": "cdac93ef-56c0-45bf-9e7f-9cbf0ad034234",
- "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
- "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
- "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]",
- "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]",
- "huntingQueryVersion3": "1.0.1",
- "huntingQuerycontentId3": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06567",
- "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
- "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
- "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]",
- "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]",
- "huntingQueryVersion4": "1.0.1",
- "huntingQuerycontentId4": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06123",
- "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
- "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
- "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]",
- "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.0.1",
+ "_analyticRulecontentId1": "6c3a1258-bcdd-4fcd-b753-1a9bc826ce12",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6c3a1258-bcdd-4fcd-b753-1a9bc826ce12')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6c3a1258-bcdd-4fcd-b753-1a9bc826ce12')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6c3a1258-bcdd-4fcd-b753-1a9bc826ce12','-', '1.0.1')))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "1.0.1",
+ "_analyticRulecontentId2": "53e936c6-6c30-4d12-8343-b8a0456e8429",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '53e936c6-6c30-4d12-8343-b8a0456e8429')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('53e936c6-6c30-4d12-8343-b8a0456e8429')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','53e936c6-6c30-4d12-8343-b8a0456e8429','-', '1.0.1')))]"
+ },
+ "analyticRuleObject3": {
+ "analyticRuleVersion3": "1.0.1",
+ "_analyticRulecontentId3": "1bf6e165-5e32-420e-ab4f-0da8558a8be2",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1bf6e165-5e32-420e-ab4f-0da8558a8be2')]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1bf6e165-5e32-420e-ab4f-0da8558a8be2')))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1bf6e165-5e32-420e-ab4f-0da8558a8be2','-', '1.0.1')))]"
+ },
+ "analyticRuleObject4": {
+ "analyticRuleVersion4": "1.0.5",
+ "_analyticRulecontentId4": "738702fd-0a66-42c7-8586-e30f0583f8fe",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '738702fd-0a66-42c7-8586-e30f0583f8fe')]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('738702fd-0a66-42c7-8586-e30f0583f8fe')))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','738702fd-0a66-42c7-8586-e30f0583f8fe','-', '1.0.5')))]"
+ },
+ "analyticRuleObject5": {
+ "analyticRuleVersion5": "1.0.4",
+ "_analyticRulecontentId5": "ce1e7025-866c-41f3-9b08-ec170e05e73e",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ce1e7025-866c-41f3-9b08-ec170e05e73e')]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ce1e7025-866c-41f3-9b08-ec170e05e73e')))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ce1e7025-866c-41f3-9b08-ec170e05e73e','-', '1.0.4')))]"
+ },
+ "analyticRuleObject6": {
+ "analyticRuleVersion6": "1.0.6",
+ "_analyticRulecontentId6": "a3c144f9-8051-47d4-ac29-ffb0c312c910",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a3c144f9-8051-47d4-ac29-ffb0c312c910')]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a3c144f9-8051-47d4-ac29-ffb0c312c910')))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a3c144f9-8051-47d4-ac29-ffb0c312c910','-', '1.0.6')))]"
+ },
+ "analyticRuleObject7": {
+ "analyticRuleVersion7": "1.1.2",
+ "_analyticRulecontentId7": "b6685757-3ed1-4b05-a5bd-2cacadc86c2a",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b6685757-3ed1-4b05-a5bd-2cacadc86c2a')]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b6685757-3ed1-4b05-a5bd-2cacadc86c2a')))]",
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b6685757-3ed1-4b05-a5bd-2cacadc86c2a','-', '1.1.2')))]"
+ },
+ "analyticRuleObject8": {
+ "analyticRuleVersion8": "1.0.2",
+ "_analyticRulecontentId8": "1785d372-b9fe-4283-96a6-3a1d83cabfd1",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1785d372-b9fe-4283-96a6-3a1d83cabfd1')]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1785d372-b9fe-4283-96a6-3a1d83cabfd1')))]",
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1785d372-b9fe-4283-96a6-3a1d83cabfd1','-', '1.0.2')))]"
+ },
+ "analyticRuleObject9": {
+ "analyticRuleVersion9": "1.0.2",
+ "_analyticRulecontentId9": "3bd33158-3f0b-47e3-a50f-7c20a1b88038",
+ "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3bd33158-3f0b-47e3-a50f-7c20a1b88038')]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3bd33158-3f0b-47e3-a50f-7c20a1b88038')))]",
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3bd33158-3f0b-47e3-a50f-7c20a1b88038','-', '1.0.2')))]"
+ },
+ "analyticRuleObject10": {
+ "analyticRuleVersion10": "1.0.0",
+ "_analyticRulecontentId10": "26e81021-2de6-4442-a74a-a77885e96911",
+ "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '26e81021-2de6-4442-a74a-a77885e96911')]",
+ "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('26e81021-2de6-4442-a74a-a77885e96911')))]",
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','26e81021-2de6-4442-a74a-a77885e96911','-', '1.0.0')))]"
+ },
+ "huntingQueryObject1": {
+ "huntingQueryVersion1": "1.1.0",
+ "_huntingQuerycontentId1": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06808",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cdac93ef-56c0-45bf-9e7f-9cbf0ad06808')))]"
+ },
+ "huntingQueryObject2": {
+ "huntingQueryVersion2": "1.1.0",
+ "_huntingQuerycontentId2": "cdac93ef-56c0-45bf-9e7f-9cbf0ad034234",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cdac93ef-56c0-45bf-9e7f-9cbf0ad034234')))]"
+ },
+ "huntingQueryObject3": {
+ "huntingQueryVersion3": "1.0.1",
+ "_huntingQuerycontentId3": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06567",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cdac93ef-56c0-45bf-9e7f-9cbf0ad06567')))]"
+ },
+ "huntingQueryObject4": {
+ "huntingQueryVersion4": "1.0.1",
+ "_huntingQuerycontentId4": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06123",
+ "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cdac93ef-56c0-45bf-9e7f-9cbf0ad06123')))]"
+ },
"workbookVersion1": "1.0.0",
"workbookContentId1": "MDOWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -645,7 +651,7 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -654,13 +660,13 @@
"description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId1')]",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -765,48 +771,48 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Name"
+ "columnName": "Name",
+ "identifier": "Name"
},
{
- "identifier": "UPNSuffix",
- "columnName": "UPNSuffix"
+ "columnName": "UPNSuffix",
+ "identifier": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SourceIP"
+ "columnName": "SourceIP",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "DestinationIP"
+ "columnName": "DestinationIP",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -814,13 +820,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Analytics Rule 1",
- "parentId": "[variables('analyticRuleId1')]",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion1')]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -845,18 +851,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"contentKind": "AnalyticsRule",
"displayName": "Possible Phishing with CSL and Network Sessions",
- "contentProductId": "[variables('_analyticRulecontentProductId1')]",
- "id": "[variables('_analyticRulecontentProductId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -865,13 +871,13 @@
"description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion2')]",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId2')]",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -905,17 +911,17 @@
],
"entityMappings": [
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
- ],
- "entityType": "Host"
+ ]
}
]
}
@@ -923,13 +929,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Analytics Rule 2",
- "parentId": "[variables('analyticRuleId2')]",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion2')]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -954,18 +960,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"contentKind": "AnalyticsRule",
"displayName": "SUNSPOT malware hashes",
- "contentProductId": "[variables('_analyticRulecontentProductId2')]",
- "id": "[variables('_analyticRulecontentProductId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName3')]",
+ "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -974,13 +980,13 @@
"description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion3')]",
+ "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId3')]",
+ "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1014,17 +1020,17 @@
],
"entityMappings": [
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
- ],
- "entityType": "Host"
+ ]
}
]
}
@@ -1032,13 +1038,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Analytics Rule 3",
- "parentId": "[variables('analyticRuleId3')]",
- "contentId": "[variables('_analyticRulecontentId3')]",
+ "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion3')]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -1063,18 +1069,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId3')]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"contentKind": "AnalyticsRule",
"displayName": "Potential Build Process Compromise - MDE",
- "contentProductId": "[variables('_analyticRulecontentProductId3')]",
- "id": "[variables('_analyticRulecontentProductId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName4')]",
+ "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1083,13 +1089,13 @@
"description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion4')]",
+ "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId4')]",
+ "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1126,39 +1132,39 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountEntity"
+ "columnName": "AccountEntity",
+ "identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "FileHash",
"fieldMappings": [
{
- "identifier": "Algorithm",
- "columnName": "FileHashType"
+ "columnName": "FileHashType",
+ "identifier": "Algorithm"
},
{
- "identifier": "Value",
- "columnName": "InitiatingProcessSHA1"
+ "columnName": "InitiatingProcessSHA1",
+ "identifier": "Value"
}
- ],
- "entityType": "FileHash"
+ ]
}
]
}
@@ -1166,13 +1172,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Analytics Rule 4",
- "parentId": "[variables('analyticRuleId4')]",
- "contentId": "[variables('_analyticRulecontentId4')]",
+ "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion4')]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -1197,18 +1203,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId4')]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"contentKind": "AnalyticsRule",
"displayName": "TEARDROP memory-only dropper",
- "contentProductId": "[variables('_analyticRulecontentProductId4')]",
- "id": "[variables('_analyticRulecontentProductId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName5')]",
+ "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1217,13 +1223,13 @@
"description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion5')]",
+ "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId5')]",
+ "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1260,57 +1266,57 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountEntity"
+ "columnName": "AccountEntity",
+ "identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "RemoteIP"
+ "columnName": "RemoteIP",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "URL",
"fieldMappings": [
{
- "identifier": "Url",
- "columnName": "RemoteUrl"
+ "columnName": "RemoteUrl",
+ "identifier": "Url"
}
- ],
- "entityType": "URL"
+ ]
},
{
+ "entityType": "FileHash",
"fieldMappings": [
{
- "identifier": "Algorithm",
- "columnName": "HashAlgorithm"
+ "columnName": "HashAlgorithm",
+ "identifier": "Algorithm"
},
{
- "identifier": "Value",
- "columnName": "InitiatingProcessMD5"
+ "columnName": "InitiatingProcessMD5",
+ "identifier": "Value"
}
- ],
- "entityType": "FileHash"
+ ]
}
]
}
@@ -1318,13 +1324,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Analytics Rule 5",
- "parentId": "[variables('analyticRuleId5')]",
- "contentId": "[variables('_analyticRulecontentId5')]",
+ "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion5')]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -1349,18 +1355,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId5')]",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"contentKind": "AnalyticsRule",
"displayName": "SUNBURST network beacons",
- "contentProductId": "[variables('_analyticRulecontentProductId5')]",
- "id": "[variables('_analyticRulecontentProductId5')]",
- "version": "[variables('analyticRuleVersion5')]"
+ "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName6')]",
+ "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1369,13 +1375,13 @@
"description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion6')]",
+ "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId6')]",
+ "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1412,35 +1418,35 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Account"
+ "columnName": "Account",
+ "identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "HostName"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "FileHash",
"fieldMappings": [
{
- "identifier": "Algorithm",
- "columnName": "AlgorithmEntity"
+ "columnName": "AlgorithmEntity",
+ "identifier": "Algorithm"
},
{
- "identifier": "Value",
- "columnName": "FileHashEntity"
+ "columnName": "FileHashEntity",
+ "identifier": "Value"
}
- ],
- "entityType": "FileHash"
+ ]
}
]
}
@@ -1448,13 +1454,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Analytics Rule 6",
- "parentId": "[variables('analyticRuleId6')]",
- "contentId": "[variables('_analyticRulecontentId6')]",
+ "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion6')]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -1479,18 +1485,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId6')]",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"contentKind": "AnalyticsRule",
"displayName": "SUNBURST and SUPERNOVA backdoor hashes",
- "contentProductId": "[variables('_analyticRulecontentProductId6')]",
- "id": "[variables('_analyticRulecontentProductId6')]",
- "version": "[variables('analyticRuleVersion6')]"
+ "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName7')]",
+ "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1499,13 +1505,13 @@
"description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion7')]",
+ "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId7')]",
+ "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1538,17 +1544,17 @@
],
"entityMappings": [
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
- ],
- "entityType": "Host"
+ ]
}
]
}
@@ -1556,13 +1562,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Analytics Rule 7",
- "parentId": "[variables('analyticRuleId7')]",
- "contentId": "[variables('_analyticRulecontentId7')]",
+ "parentId": "[variables('analyticRuleObject7').analyticRuleId7]",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion7')]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -1587,18 +1593,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId7')]",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"contentKind": "AnalyticsRule",
"displayName": "AV detections related to Ukraine threats",
- "contentProductId": "[variables('_analyticRulecontentProductId7')]",
- "id": "[variables('_analyticRulecontentProductId7')]",
- "version": "[variables('analyticRuleVersion7')]"
+ "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName8')]",
+ "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1607,13 +1613,13 @@
"description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion8')]",
+ "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId8')]",
+ "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1646,26 +1652,26 @@
],
"entityMappings": [
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "PublicIP"
+ "columnName": "PublicIP",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -1673,13 +1679,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Analytics Rule 8",
- "parentId": "[variables('analyticRuleId8')]",
- "contentId": "[variables('_analyticRulecontentId8')]",
+ "parentId": "[variables('analyticRuleObject8').analyticRuleId8]",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion8')]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -1704,18 +1710,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId8')]",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"contentKind": "AnalyticsRule",
"displayName": "AV detections related to Tarrask malware",
- "contentProductId": "[variables('_analyticRulecontentProductId8')]",
- "id": "[variables('_analyticRulecontentProductId8')]",
- "version": "[variables('analyticRuleVersion8')]"
+ "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName9')]",
+ "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1724,13 +1730,13 @@
"description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion9')]",
+ "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId9')]",
+ "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1763,26 +1769,26 @@
],
"entityMappings": [
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "PublicIP"
+ "columnName": "PublicIP",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -1790,13 +1796,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Analytics Rule 9",
- "parentId": "[variables('analyticRuleId9')]",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "parentId": "[variables('analyticRuleObject9').analyticRuleId9]",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion9')]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -1821,18 +1827,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"contentKind": "AnalyticsRule",
"displayName": "AV detections related to SpringShell Vulnerability",
- "contentProductId": "[variables('_analyticRulecontentProductId9')]",
- "id": "[variables('_analyticRulecontentProductId9')]",
- "version": "[variables('analyticRuleVersion9')]"
+ "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName10')]",
+ "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1841,13 +1847,13 @@
"description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion10')]",
+ "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId10')]",
+ "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1883,82 +1889,82 @@
],
"entityMappings": [
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "HostName"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "FullName"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Process",
"fieldMappings": [
{
- "identifier": "ProcessId",
- "columnName": "ProcessId"
+ "columnName": "ProcessId",
+ "identifier": "ProcessId"
}
- ],
- "entityType": "Process"
+ ]
},
{
+ "entityType": "Process",
"fieldMappings": [
{
- "identifier": "ProcessId",
- "columnName": "InitiatingProcessId"
+ "columnName": "InitiatingProcessId",
+ "identifier": "ProcessId"
}
- ],
- "entityType": "Process"
+ ]
},
{
+ "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ],
- "entityType": "Process"
+ ]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": {
- "alertDisplayNameFormat": "Possible exploitation of CVE-2023-4863",
- "alertDynamicProperties": []
+ "alertDynamicProperties": [],
+ "alertDisplayNameFormat": "Possible exploitation of CVE-2023-4863"
},
"incidentConfiguration": {
+ "createIncident": false,
"groupingConfiguration": {
+ "matchingMethod": "Selected",
+ "enabled": false,
+ "reopenClosedIncident": false,
"lookbackDuration": "5h",
"groupByEntities": [
"Account"
- ],
- "matchingMethod": "Selected",
- "reopenClosedIncident": false,
- "enabled": false
- },
- "createIncident": false
+ ]
+ }
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Analytics Rule 10",
- "parentId": "[variables('analyticRuleId10')]",
- "contentId": "[variables('_analyticRulecontentId10')]",
+ "parentId": "[variables('analyticRuleObject10').analyticRuleId10]",
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion10')]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -1983,18 +1989,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId10')]",
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
"contentKind": "AnalyticsRule",
"displayName": "Execution of software vulnerable to webp buffer overflow of CVE-2023-4863",
- "contentProductId": "[variables('_analyticRulecontentProductId10')]",
- "id": "[variables('_analyticRulecontentProductId10')]",
- "version": "[variables('analyticRuleVersion10')]"
+ "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+ "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName1')]",
+ "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -2003,7 +2009,7 @@
"description": "Appspot Phishing Abuse_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion1')]",
+ "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"parameters": {},
"variables": {},
"resources": [
@@ -2037,13 +2043,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Hunting Query 1",
- "parentId": "[variables('huntingQueryId1')]",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion1')]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -2068,18 +2074,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"contentKind": "HuntingQuery",
"displayName": "Appspot Phishing Abuse",
- "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
- "id": "[variables('_huntingQuerycontentProductId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.1.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.1.0')))]",
+ "version": "1.1.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName2')]",
+ "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -2088,7 +2094,7 @@
"description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion2')]",
+ "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"parameters": {},
"variables": {},
"resources": [
@@ -2122,13 +2128,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Hunting Query 2",
- "parentId": "[variables('huntingQueryId2')]",
- "contentId": "[variables('_huntingQuerycontentId2')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion2')]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -2153,18 +2159,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId2')]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"contentKind": "HuntingQuery",
"displayName": "Spoofing attempts from Specific Domains",
- "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
- "id": "[variables('_huntingQuerycontentProductId2')]",
- "version": "[variables('huntingQueryVersion2')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.1.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.1.0')))]",
+ "version": "1.1.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName3')]",
+ "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -2173,7 +2179,7 @@
"description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion3')]",
+ "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"parameters": {},
"variables": {},
"resources": [
@@ -2207,13 +2213,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Hunting Query 3",
- "parentId": "[variables('huntingQueryId3')]",
- "contentId": "[variables('_huntingQuerycontentId3')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion3')]",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -2238,18 +2244,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId3')]",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
"contentKind": "HuntingQuery",
"displayName": "Determine Successfully Delivered Phishing Emails by top IP Addresses",
- "contentProductId": "[variables('_huntingQuerycontentProductId3')]",
- "id": "[variables('_huntingQuerycontentProductId3')]",
- "version": "[variables('huntingQueryVersion3')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.1')))]",
+ "version": "1.0.1"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName4')]",
+ "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -2258,7 +2264,7 @@
"description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion4')]",
+ "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"parameters": {},
"variables": {},
"resources": [
@@ -2292,13 +2298,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]",
"properties": {
"description": "Microsoft Defender XDR Hunting Query 4",
- "parentId": "[variables('huntingQueryId4')]",
- "contentId": "[variables('_huntingQuerycontentId4')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion4')]",
+ "version": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"source": {
"kind": "Solution",
"name": "Microsoft Defender XDR",
@@ -2323,12 +2329,12 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId4')]",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
"contentKind": "HuntingQuery",
"displayName": "Determine Successfully Delivered Phishing Emails to Inbox/Junk folder.",
- "contentProductId": "[variables('_huntingQuerycontentProductId4')]",
- "id": "[variables('_huntingQuerycontentProductId4')]",
- "version": "[variables('huntingQueryVersion4')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.1')))]",
+ "version": "1.0.1"
}
},
{
@@ -2340,7 +2346,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MDO InsightsWorkbook Workbook with template version 3.0.1",
+ "description": "MDO Insights Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -2428,7 +2434,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MicrosoftDefenderForEndPointWorkbook Workbook with template version 3.0.1",
+ "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -2442,11 +2448,11 @@
"kind": "shared",
"apiVersion": "2021-08-01",
"metadata": {
- "description": "A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector."
+ "description": "A workbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through Microsoft Defender XDR Connector."
},
"properties": {
"displayName": "[parameters('workbook2-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Microsoft Defender for Endpoint (Preview)\\n---\\n\\nA wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector.\\n\\n\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b22a3bd7-19b3-495d-a0df-95a7a59d98ff\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"value\":{\"durationMs\":172800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"f0450560-ef16-4aa9-a3ad-7485dd909587\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }]\",\"label\":\"Show Help\",\"value\":\"Yes\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":1,\"content\":{\"json\":\"\\r\\n|Overview|Device|Network|File|\\r\\n|--------|------|-------|----|\\r\\n|MDE Tables Last Data Received|Source of the AV detections|Internet Connected Devices|FileActivityCount per Device|\\r\\n|Daily Data Flow on MDE Tables|Get stats on ASR audit events|Count By Machine Group|Count by InitiatingProcessAccountUpn|\\r\\n|Device Heartbeat|Get stats on ASR blocks|Count By Network Adaptor||\\r\\n|Device where files are copied to USB Drive|AV Detections with USB Disk Drive|TimeSeries on Network Activity||\\r\\n|Device Internet Connectivity Status |List files copied to USB mounted drives|Top 10 RemoteUrl accessed over TimeRange||\\r\\n|Device Count by DNS Suffix ||Tor Clients||\\r\\n|Device Microsoft Entra ID Join status ||||\\r\\n|Device ClientVersion ||||\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"454d4e02-26ba-4195-ae30-94752bbf4603\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"Overview\",\"preText\":\"Overview\",\"style\":\"link\"},{\"id\":\"3d902e84-3e5b-4631-85d1-c229ec2abf75\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Device\",\"subTarget\":\"Device\",\"style\":\"link\"},{\"id\":\"bbc20288-b398-4f63-b7a9-e3830213bb34\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Network\",\"subTarget\":\"Network\",\"style\":\"link\"},{\"id\":\"edab4a44-8ca3-4ba1-bede-4186f4376d28\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"File\",\"subTarget\":\"File\",\"style\":\"link\"}]},\"name\":\"links - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union \\r\\nisfuzzy = true\\r\\n(DeviceInfo | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type= \\\"DeviceInfo\\\" | extend Description = \\\"Machine information (including OS information)\\\"),\\r\\n(DeviceNetworkInfo | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceNetworkInfo\\\" | extend Description = \\\"Network properties of machines\\\"),\\r\\n(DeviceProcessEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceProcessEvents\\\" | extend Description = \\\"Process creation and related events\\\"),\\r\\n(DeviceNetworkEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceNetworkEvents\\\" | extend Description = \\\"Network connection and related events\\\"),\\r\\n(DeviceFileEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceFileEvents\\\" | extend Description = \\\"File creation, modification, and other file system events\\\"),\\r\\n(DeviceRegistryEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceRegistryEvents\\\" | extend Description = \\\"Creation and modification of registry entries\\\"),\\r\\n(DeviceLogonEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceLogonEvents\\\" | extend Description = \\\"Sign-ins and other authentication events\\\"),\\r\\n(DeviceImageLoadEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceImageLoadEvents\\\" | extend Description = \\\"DLL loading events\\\"),\\r\\n(DeviceEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceEvents\\\" | extend Description = \\\"Additional events types\\\"),\\r\\n(DeviceFileCertificateInfo | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceFileCertificateInfo\\\" | extend Description = \\\"Certificate information of signed files)\\\")\\r\\n| extend [\\\"Last Log Received At (Local Time)\\\"] = TimeGenerated\\r\\n| project Type, Description, [\\\"Last Log Received At (Local Time)\\\"]\",\"size\":0,\"title\":\"MDE Tables Last Data Received based on {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Type\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Last Log Received At\",\"formatter\":6,\"dateFormat\":{\"formatName\":\"fullDateTimePattern\"}}],\"filter\":true}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDeviceNames = DeviceInfo | distinct DeviceId, DeviceName;\\nlet DeviceEventSummary = DeviceEvents | summarize count() by DeviceId, Type, bin(TimeGenerated,1d);\\nlet DeviceNetworkEventsSummary = DeviceNetworkEvents | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\\nlet DeviceNetworkInfoSummary = DeviceNetworkInfo | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\\nlet DeviceLogonEventsSummary = DeviceLogonEvents | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\\nlet DeviceRegistryEventsSummary = DeviceRegistryEvents | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\\nlet DeviceProcessEventsSummary = DeviceProcessEvents | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\\n(DeviceEventSummary\\n| union DeviceNetworkEventsSummary,\\nDeviceNetworkEventsSummary,\\nDeviceNetworkInfoSummary,\\nDeviceLogonEventsSummary,\\nDeviceRegistryEventsSummary,\\nDeviceProcessEventsSummary)\\n| join kind=inner ( \\nAllDeviceNames\\n)\\non $left.DeviceId == $right.DeviceId\\n| project-reorder Type, TimeGenerated, count_\\n//| project-away DeviceId, DeviceId1\",\"size\":1,\"title\":\"Daily Data Flow on MDE Tables over {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"xAxis\":\"count_\"}},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceInfo \\r\\n| summarize arg_max(TimeGenerated,*) by DeviceId\\r\\n| extend ParsedFields=parse_json(LoggedOnUsers)[0]\\r\\n| extend DurationAtLeast= format_timespan(now()-TimeGenerated,'dd:hh:mm:ss')\\r\\n| project DurationAtLeast,TimeGenerated,DeviceName,DomainName=ParsedFields.DomainName,UserName=ParsedFields.UserName\\r\\n| order by DurationAtLeast asc\",\"size\":0,\"title\":\"Device Heartbeat from TimeTange {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let UsbDriveMount = DeviceEvents\\r\\n| where ActionType==\\\"UsbDriveMounted\\\"\\r\\n| extend ParsedFields=parse_json(AdditionalFields)\\r\\n| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,\\r\\nProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer\\r\\n| order by DeviceId asc, MountTime desc;\\r\\nlet FileCreation = DeviceFileEvents\\r\\n| where InitiatingProcessAccountName != \\\"system\\\"\\r\\n| where ActionType == \\\"FileCreated\\\"\\r\\n| where FolderPath !startswith \\\"C:\\\\\\\\\\\"\\r\\n| where FolderPath !startswith \\\"\\\\\\\\\\\"\\r\\n| project ReportId,DeviceId,InitiatingProcessAccountDomain,\\r\\nInitiatingProcessAccountName,InitiatingProcessAccountUpn,\\r\\nFileName, FolderPath, SHA256, Timestamp, SensitivityLabel, IsAzureInfoProtectionApplied\\r\\n| order by DeviceId asc, Timestamp desc;\\r\\nFileCreation | lookup kind=inner (UsbDriveMount) on DeviceId\\r\\n| where FolderPath startswith DriveLetter\\r\\n| where Timestamp >= MountTime\\r\\n| partition by ReportId ( top 1 by MountTime )\\r\\n| order by DeviceId asc, Timestamp desc\\r\\n| summarize FileCount = count() by DeviceName\\r\\n| order by FileCount desc\",\"size\":1,\"title\":\"Device where files are copied to USB Drive from TimeTange {TimeRange}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkInfo\\r\\n| summarize arg_max(TimeGenerated,*) by DeviceId\\r\\n| mvexpand ConnectedNetworks\\r\\n| summarize count() by tostring(ConnectedNetworks.IsConnectedToInternet)\",\"size\":1,\"title\":\"Device Internet Connectivity Status from TimeTange {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceInfo\\r\\n| where isnotempty(OSPlatform)\\r\\n| summarize arg_max(Timestamp, DeviceName) by DeviceId\\r\\n| extend DeviceMachineName = split(DeviceName, '.')[0]\\r\\n| extend DeviceDomain = substring(DeviceName, strlen(DeviceMachineName) + 1, strlen(DeviceName) - strlen(DeviceMachineName) - 1)\\r\\n| summarize count() by DeviceDomain\",\"size\":1,\"title\":\"Device Count by DNS Suffix\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"filter\":true},\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"30\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceInfo\\r\\n| where isnotempty(OSPlatform)\\r\\n| summarize arg_max(TimeGenerated, *) by DeviceId\\r\\n| summarize count() by tostring(IsAzureADJoined)\",\"size\":1,\"title\":\"Device EntraID Join status\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"filter\":true},\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"30\",\"name\":\"query - 0 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceInfo\\r\\n| where isnotempty(OSPlatform)\\r\\n| summarize arg_max(TimeGenerated, *) by DeviceId\\r\\n| summarize count() by ClientVersion\",\"size\":1,\"title\":\"Device ClientVersion\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"filter\":true},\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"30\",\"name\":\"query - 0 - Copy - Copy - Copy - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Overview\"},\"name\":\"groupOverview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//This query shows the source of the AV detections (e.g., the website the file was downloaded from etc.)\\r\\n//\\r\\n//Get the list of AV detections\\r\\nlet avDetections =\\r\\nDeviceEvents\\r\\n| where ActionType == \\\"AntivirusDetection\\\" and isnotempty(MD5)\\r\\n| extend ParsedFields=parse_json(AdditionalFields)\\r\\n| project Timestamp, DeviceName, ThreatName=tostring(ParsedFields.ThreatName), FileName, FolderPath, MD5;\\r\\n//Get a list of file creations\\r\\nlet fileCreations =\\r\\nDeviceFileEvents \\r\\n| where (isnotempty(FileOriginReferrerUrl) or isnotempty(FileOriginUrl)) and isnotempty(MD5)\\r\\n| project MD5, FileOriginUrl, FileOriginReferrerUrl, InitiatingProcessFileName, InitiatingProcessParentFileName;\\r\\n//Join the file creations and AV detections on the MD5 of the file\\r\\navDetections | join kind=inner (fileCreations) on MD5\\r\\n| project-away MD51 //Remove the duplicated MD5 field\\r\\n| sort by Timestamp desc \",\"size\":0,\"title\":\"Source of the AV detections for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n| where ActionType startswith \\\"Asr\\\" and ActionType endswith \\\"Audited\\\"\\r\\n// Count total stats - count events and machines per rule\\r\\n| summarize EventCount=count(), MachinesCount=dcount(DeviceId) by ActionType\",\"size\":0,\"title\":\"Get stats on ASR audit events - count events and machines per rule for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n| where ActionType startswith \\\"Asr\\\" and ActionType endswith \\\"Blocked\\\"\\r\\n// Count total stats - count events and machines per rule\\r\\n| summarize EventCount=count(), MachinesCount=dcount(DeviceId) by ActionType\",\"size\":0,\"title\":\"Get stats on ASR blocks - count events and machines per rule for {TimeRange}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//This query make a best-guess detection regarding which removable media device caused an AV detection\\r\\n//The query is best run over 30 days to get the full USB history\\r\\n//\\r\\n//Get a list of USB AV detections. This assumes any path not beginning with C is a removable/USB device\\r\\nlet usbDetections =\\r\\n DeviceEvents\\r\\n | where ActionType == \\\"AntivirusDetection\\\" and FolderPath !startswith \\\"c\\\" and FolderPath matches regex \\\"^[A-Za-z]{1}\\\"\\r\\n | extend ParsedFields=parse_json(AdditionalFields)\\r\\n | project DetectionTime=Timestamp, DeviceName, ThreatName=tostring(ParsedFields.ThreatName), FileName, FolderPath;\\r\\n//Get a list of USB disk drive connections, grouped by computer name and DeviceID\\r\\nlet usbConnections = \\r\\n DeviceEvents\\r\\n | where ActionType == \\\"PnpDeviceConnected\\\"\\r\\n | extend parsed=parse_json(AdditionalFields)\\r\\n | project Timestamp, DeviceName, DeviceId=tostring(parsed.DeviceId), ClassName=tostring(parsed.ClassName)\\r\\n | where ClassName == \\\"DiskDrive\\\"\\r\\n | summarize UsbFirstSeen=min(Timestamp), UsbLastSeen=max(Timestamp) by DeviceId, DeviceName;\\r\\n//Join USB AV detections and connections, where the detection occurs after the USB has been plugged in\\r\\nusbDetections | join kind=inner (usbConnections) on DeviceName | where DetectionTime > UsbFirstSeen and DetectionTime < UsbLastSeen\\r\\n| project DetectionTime, DeviceName, ThreatName, FileName, FolderPath, DeviceId, UsbFirstSeen, UsbLastSeen\\r\\n| sort by DetectionTime desc\",\"size\":0,\"title\":\"AV Detections with USB Disk Drive for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let UsbDriveMount = DeviceEvents\\r\\n| where ActionType==\\\"UsbDriveMounted\\\"\\r\\n| extend ParsedFields=parse_json(AdditionalFields)\\r\\n| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,\\r\\nProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer\\r\\n| order by DeviceId asc, MountTime desc;\\r\\nlet FileCreation = DeviceFileEvents\\r\\n| where InitiatingProcessAccountName != \\\"system\\\"\\r\\n| where ActionType == \\\"FileCreated\\\"\\r\\n| where FolderPath !startswith \\\"C:\\\\\\\\\\\"\\r\\n| where FolderPath !startswith \\\"\\\\\\\\\\\"\\r\\n| project ReportId,DeviceId,InitiatingProcessAccountDomain,\\r\\nInitiatingProcessAccountName,InitiatingProcessAccountUpn,\\r\\nFileName, FolderPath, SHA256, Timestamp, SensitivityLabel, IsAzureInfoProtectionApplied\\r\\n| order by DeviceId asc, Timestamp desc;\\r\\nFileCreation | lookup kind=inner (UsbDriveMount) on DeviceId\\r\\n| where FolderPath startswith DriveLetter\\r\\n| where Timestamp >= MountTime\\r\\n| partition by ReportId ( top 1 by MountTime )\\r\\n| order by DeviceId asc, Timestamp desc\",\"size\":0,\"title\":\"List files copied to USB mounted drives for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Device\"},\"name\":\"groupDevice\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkInfo\\r\\n| summarize arg_max(TimeGenerated,*) by DeviceId\\r\\n| mv-apply ConnectedNetworks on \\r\\n(\\r\\nwhere ConnectedNetworks.IsConnectedToInternet == true\\r\\n)\\r\\n| project DeviceName, DefaultGateways, IPv4Dhcp, IPv6Dhcp,MacAddress,MachineGroup, ConnectedNetworks.IsConnectedToInternet\",\"size\":0,\"title\":\"Internet Connected Devices for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkInfo\\r\\n| summarize arg_max(TimeGenerated,*) by DeviceId\\r\\n| summarize count() by MachineGroup\",\"size\":0,\"title\":\"Count By Machine Group for {TimeRange}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkInfo\\r\\n| summarize arg_max(TimeGenerated,*) by DeviceId\\r\\n| summarize count() by NetworkAdapterType, NetworkAdapterStatus\",\"size\":0,\"title\":\"Count By Network Adaptor\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 0 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkEvents\\r\\n| summarize count() by DeviceName, DeviceId,bin( TimeGenerated,5m)\",\"size\":0,\"title\":\"TimeSeries on Network Activity for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 0 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkEvents\\r\\n| where isnotempty(RemoteUrl)\\r\\n| summarize count() by RemoteUrl\\r\\n| order by count_ desc\\r\\n| limit 10\",\"size\":0,\"title\":\"Top 10 RemoteUrl accessed over TimeRange {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"query - 0 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// This query looks for Tor client, or for a common Tor plugin called Meek.\\r\\n// We query for active Tor connections, but could have alternatively looked for active Tor runs (ProcessCreateEvents) or Tor downloads (DeviceFileEvents)\\r\\n// To read more about this technique, see:\\r\\n// Tor: https://attack.mitre.org/wiki/Software/S0183#Techniques_Used\\r\\n// Meek plugin: https://attack.mitre.org/wiki/Software/S0175\\r\\n// Multi-hop proxy technique: https://attack.mitre.org/wiki/Technique/T1188\\r\\n// Tags: #Tor, #MultiHopProxy, #CnC\\r\\nDeviceNetworkEvents \\r\\n| where Timestamp < ago(3d) and InitiatingProcessFileName in~ (\\\"tor.exe\\\", \\\"meek-client.exe\\\")\\r\\n// Returns MD5 hashes of files used by Tor, to enable you to block them.\\r\\n// We count how prevalent each file is (by machines) and show examples for some of them (up to 5 machine names per hash).\\r\\n| summarize MachineCount=dcount(DeviceName), MachineNames=makeset(DeviceName, 5) by InitiatingProcessMD5\\r\\n| order by MachineCount desc\",\"size\":0,\"title\":\"Tor Clients for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Network\"},\"name\":\"groupNetwork\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\r\\n| summarize FileActivityCount = count() by DeviceName\",\"size\":0,\"title\":\"FileActivityCount per Device for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\"},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\r\\n| summarize count() by InitiatingProcessAccountUpn\",\"size\":0,\"title\":\"Count by InitiatingProcessAccountUpn for {TimeRange}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\"},\"name\":\"query - 0 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"File\"},\"name\":\"groupFile\"}],\"fromTemplateId\":\"sentinel-MicrosoftDefenderForEndPoint\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Microsoft Defender for Endpoint (Preview)\\n---\\n\\nA workbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through Microsoft Defender XDR Connector.\\n\\n\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b22a3bd7-19b3-495d-a0df-95a7a59d98ff\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"value\":{\"durationMs\":172800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"f0450560-ef16-4aa9-a3ad-7485dd909587\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }]\",\"label\":\"Show Help\",\"value\":\"Yes\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":1,\"content\":{\"json\":\"\\r\\n|Overview|Device|Network|File|\\r\\n|--------|------|-------|----|\\r\\n|MDE Tables Last Data Received|Source of the AV detections|Internet Connected Devices|FileActivityCount per Device|\\r\\n|Daily Data Flow on MDE Tables|Get stats on ASR audit events|Count By Machine Group|Count by InitiatingProcessAccountUpn|\\r\\n|Device Heartbeat|Get stats on ASR blocks|Count By Network Adaptor||\\r\\n|Device where files are copied to USB Drive|AV Detections with USB Disk Drive|TimeSeries on Network Activity||\\r\\n|Device Internet Connectivity Status |List files copied to USB mounted drives|Top 10 RemoteUrl accessed over TimeRange||\\r\\n|Device Count by DNS Suffix ||Tor Clients||\\r\\n|Device Microsoft Entra ID Join status ||||\\r\\n|Device ClientVersion ||||\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"454d4e02-26ba-4195-ae30-94752bbf4603\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"Overview\",\"preText\":\"Overview\",\"style\":\"link\"},{\"id\":\"3d902e84-3e5b-4631-85d1-c229ec2abf75\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Device\",\"subTarget\":\"Device\",\"style\":\"link\"},{\"id\":\"bbc20288-b398-4f63-b7a9-e3830213bb34\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Network\",\"subTarget\":\"Network\",\"style\":\"link\"},{\"id\":\"edab4a44-8ca3-4ba1-bede-4186f4376d28\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"File\",\"subTarget\":\"File\",\"style\":\"link\"}]},\"name\":\"links - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union \\r\\nisfuzzy = true\\r\\n(DeviceInfo | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type= \\\"DeviceInfo\\\" | extend Description = \\\"Machine information (including OS information)\\\"),\\r\\n(DeviceNetworkInfo | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceNetworkInfo\\\" | extend Description = \\\"Network properties of machines\\\"),\\r\\n(DeviceProcessEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceProcessEvents\\\" | extend Description = \\\"Process creation and related events\\\"),\\r\\n(DeviceNetworkEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceNetworkEvents\\\" | extend Description = \\\"Network connection and related events\\\"),\\r\\n(DeviceFileEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceFileEvents\\\" | extend Description = \\\"File creation, modification, and other file system events\\\"),\\r\\n(DeviceRegistryEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceRegistryEvents\\\" | extend Description = \\\"Creation and modification of registry entries\\\"),\\r\\n(DeviceLogonEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceLogonEvents\\\" | extend Description = \\\"Sign-ins and other authentication events\\\"),\\r\\n(DeviceImageLoadEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceImageLoadEvents\\\" | extend Description = \\\"DLL loading events\\\"),\\r\\n(DeviceEvents | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceEvents\\\" | extend Description = \\\"Additional events types\\\"),\\r\\n(DeviceFileCertificateInfo | summarize arg_max(TimeGenerated,*) | project TimeGenerated, Type=\\\"DeviceFileCertificateInfo\\\" | extend Description = \\\"Certificate information of signed files)\\\")\\r\\n| extend [\\\"Last Log Received At (Local Time)\\\"] = TimeGenerated\\r\\n| project Type, Description, [\\\"Last Log Received At (Local Time)\\\"]\",\"size\":0,\"title\":\"MDE Tables Last Data Received based on {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Type\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Last Log Received At\",\"formatter\":6,\"dateFormat\":{\"formatName\":\"fullDateTimePattern\"}}],\"filter\":true}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AllDeviceNames = DeviceInfo | distinct DeviceId, DeviceName;\\nlet DeviceEventSummary = DeviceEvents | summarize count() by DeviceId, Type, bin(TimeGenerated,1d);\\nlet DeviceNetworkEventsSummary = DeviceNetworkEvents | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\\nlet DeviceNetworkInfoSummary = DeviceNetworkInfo | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\\nlet DeviceLogonEventsSummary = DeviceLogonEvents | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\\nlet DeviceRegistryEventsSummary = DeviceRegistryEvents | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\\nlet DeviceProcessEventsSummary = DeviceProcessEvents | summarize count() by DeviceId,Type, bin(TimeGenerated,1d);\\n(DeviceEventSummary\\n| union DeviceNetworkEventsSummary,\\nDeviceNetworkEventsSummary,\\nDeviceNetworkInfoSummary,\\nDeviceLogonEventsSummary,\\nDeviceRegistryEventsSummary,\\nDeviceProcessEventsSummary)\\n| join kind=inner ( \\nAllDeviceNames\\n)\\non $left.DeviceId == $right.DeviceId\\n| project-reorder Type, TimeGenerated, count_\\n//| project-away DeviceId, DeviceId1\",\"size\":1,\"title\":\"Daily Data Flow on MDE Tables over {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"xAxis\":\"count_\"}},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceInfo \\r\\n| summarize arg_max(TimeGenerated,*) by DeviceId\\r\\n| extend ParsedFields=parse_json(LoggedOnUsers)[0]\\r\\n| extend DurationAtLeast= format_timespan(now()-TimeGenerated,'dd:hh:mm:ss')\\r\\n| project DurationAtLeast,TimeGenerated,DeviceName,DomainName=ParsedFields.DomainName,UserName=ParsedFields.UserName\\r\\n| order by DurationAtLeast asc\",\"size\":0,\"title\":\"Device Heartbeat from TimeTange {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let UsbDriveMount = DeviceEvents\\r\\n| where ActionType==\\\"UsbDriveMounted\\\"\\r\\n| extend ParsedFields=parse_json(AdditionalFields)\\r\\n| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,\\r\\nProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer\\r\\n| order by DeviceId asc, MountTime desc;\\r\\nlet FileCreation = DeviceFileEvents\\r\\n| where InitiatingProcessAccountName != \\\"system\\\"\\r\\n| where ActionType == \\\"FileCreated\\\"\\r\\n| where FolderPath !startswith \\\"C:\\\\\\\\\\\"\\r\\n| where FolderPath !startswith \\\"\\\\\\\\\\\"\\r\\n| project ReportId,DeviceId,InitiatingProcessAccountDomain,\\r\\nInitiatingProcessAccountName,InitiatingProcessAccountUpn,\\r\\nFileName, FolderPath, SHA256, Timestamp, SensitivityLabel, IsAzureInfoProtectionApplied\\r\\n| order by DeviceId asc, Timestamp desc;\\r\\nFileCreation | lookup kind=inner (UsbDriveMount) on DeviceId\\r\\n| where FolderPath startswith DriveLetter\\r\\n| where Timestamp >= MountTime\\r\\n| partition by ReportId ( top 1 by MountTime )\\r\\n| order by DeviceId asc, Timestamp desc\\r\\n| summarize FileCount = count() by DeviceName\\r\\n| order by FileCount desc\",\"size\":1,\"title\":\"Device where files are copied to USB Drive from TimeTange {TimeRange}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkInfo\\r\\n| summarize arg_max(TimeGenerated,*) by DeviceId\\r\\n| mvexpand ConnectedNetworks\\r\\n| summarize count() by tostring(ConnectedNetworks.IsConnectedToInternet)\",\"size\":1,\"title\":\"Device Internet Connectivity Status from TimeTange {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceInfo\\r\\n| where isnotempty(OSPlatform)\\r\\n| summarize arg_max(Timestamp, DeviceName) by DeviceId\\r\\n| extend DeviceMachineName = split(DeviceName, '.')[0]\\r\\n| extend DeviceDomain = substring(DeviceName, strlen(DeviceMachineName) + 1, strlen(DeviceName) - strlen(DeviceMachineName) - 1)\\r\\n| summarize count() by DeviceDomain\",\"size\":1,\"title\":\"Device Count by DNS Suffix\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"filter\":true},\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"30\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceInfo\\r\\n| where isnotempty(OSPlatform)\\r\\n| summarize arg_max(TimeGenerated, *) by DeviceId\\r\\n| summarize count() by tostring(IsAzureADJoined)\",\"size\":1,\"title\":\"Device EntraID Join status\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"filter\":true},\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"30\",\"name\":\"query - 0 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceInfo\\r\\n| where isnotempty(OSPlatform)\\r\\n| summarize arg_max(TimeGenerated, *) by DeviceId\\r\\n| summarize count() by ClientVersion\",\"size\":1,\"title\":\"Device ClientVersion\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"filter\":true},\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"30\",\"name\":\"query - 0 - Copy - Copy - Copy - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Overview\"},\"name\":\"groupOverview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//This query shows the source of the AV detections (e.g., the website the file was downloaded from etc.)\\r\\n//\\r\\n//Get the list of AV detections\\r\\nlet avDetections =\\r\\nDeviceEvents\\r\\n| where ActionType == \\\"AntivirusDetection\\\" and isnotempty(MD5)\\r\\n| extend ParsedFields=parse_json(AdditionalFields)\\r\\n| project Timestamp, DeviceName, ThreatName=tostring(ParsedFields.ThreatName), FileName, FolderPath, MD5;\\r\\n//Get a list of file creations\\r\\nlet fileCreations =\\r\\nDeviceFileEvents \\r\\n| where (isnotempty(FileOriginReferrerUrl) or isnotempty(FileOriginUrl)) and isnotempty(MD5)\\r\\n| project MD5, FileOriginUrl, FileOriginReferrerUrl, InitiatingProcessFileName, InitiatingProcessParentFileName;\\r\\n//Join the file creations and AV detections on the MD5 of the file\\r\\navDetections | join kind=inner (fileCreations) on MD5\\r\\n| project-away MD51 //Remove the duplicated MD5 field\\r\\n| sort by Timestamp desc \",\"size\":0,\"title\":\"Source of the AV detections for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n| where ActionType startswith \\\"Asr\\\" and ActionType endswith \\\"Audited\\\"\\r\\n// Count total stats - count events and machines per rule\\r\\n| summarize EventCount=count(), MachinesCount=dcount(DeviceId) by ActionType\",\"size\":0,\"title\":\"Get stats on ASR audit events - count events and machines per rule for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n| where ActionType startswith \\\"Asr\\\" and ActionType endswith \\\"Blocked\\\"\\r\\n// Count total stats - count events and machines per rule\\r\\n| summarize EventCount=count(), MachinesCount=dcount(DeviceId) by ActionType\",\"size\":0,\"title\":\"Get stats on ASR blocks - count events and machines per rule for {TimeRange}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//This query make a best-guess detection regarding which removable media device caused an AV detection\\r\\n//The query is best run over 30 days to get the full USB history\\r\\n//\\r\\n//Get a list of USB AV detections. This assumes any path not beginning with C is a removable/USB device\\r\\nlet usbDetections =\\r\\n DeviceEvents\\r\\n | where ActionType == \\\"AntivirusDetection\\\" and FolderPath !startswith \\\"c\\\" and FolderPath matches regex \\\"^[A-Za-z]{1}\\\"\\r\\n | extend ParsedFields=parse_json(AdditionalFields)\\r\\n | project DetectionTime=Timestamp, DeviceName, ThreatName=tostring(ParsedFields.ThreatName), FileName, FolderPath;\\r\\n//Get a list of USB disk drive connections, grouped by computer name and DeviceID\\r\\nlet usbConnections = \\r\\n DeviceEvents\\r\\n | where ActionType == \\\"PnpDeviceConnected\\\"\\r\\n | extend parsed=parse_json(AdditionalFields)\\r\\n | project Timestamp, DeviceName, DeviceId=tostring(parsed.DeviceId), ClassName=tostring(parsed.ClassName)\\r\\n | where ClassName == \\\"DiskDrive\\\"\\r\\n | summarize UsbFirstSeen=min(Timestamp), UsbLastSeen=max(Timestamp) by DeviceId, DeviceName;\\r\\n//Join USB AV detections and connections, where the detection occurs after the USB has been plugged in\\r\\nusbDetections | join kind=inner (usbConnections) on DeviceName | where DetectionTime > UsbFirstSeen and DetectionTime < UsbLastSeen\\r\\n| project DetectionTime, DeviceName, ThreatName, FileName, FolderPath, DeviceId, UsbFirstSeen, UsbLastSeen\\r\\n| sort by DetectionTime desc\",\"size\":0,\"title\":\"AV Detections with USB Disk Drive for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let UsbDriveMount = DeviceEvents\\r\\n| where ActionType==\\\"UsbDriveMounted\\\"\\r\\n| extend ParsedFields=parse_json(AdditionalFields)\\r\\n| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,\\r\\nProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer\\r\\n| order by DeviceId asc, MountTime desc;\\r\\nlet FileCreation = DeviceFileEvents\\r\\n| where InitiatingProcessAccountName != \\\"system\\\"\\r\\n| where ActionType == \\\"FileCreated\\\"\\r\\n| where FolderPath !startswith \\\"C:\\\\\\\\\\\"\\r\\n| where FolderPath !startswith \\\"\\\\\\\\\\\"\\r\\n| project ReportId,DeviceId,InitiatingProcessAccountDomain,\\r\\nInitiatingProcessAccountName,InitiatingProcessAccountUpn,\\r\\nFileName, FolderPath, SHA256, Timestamp, SensitivityLabel, IsAzureInfoProtectionApplied\\r\\n| order by DeviceId asc, Timestamp desc;\\r\\nFileCreation | lookup kind=inner (UsbDriveMount) on DeviceId\\r\\n| where FolderPath startswith DriveLetter\\r\\n| where Timestamp >= MountTime\\r\\n| partition by ReportId ( top 1 by MountTime )\\r\\n| order by DeviceId asc, Timestamp desc\",\"size\":0,\"title\":\"List files copied to USB mounted drives for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Device\"},\"name\":\"groupDevice\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkInfo\\r\\n| summarize arg_max(TimeGenerated,*) by DeviceId\\r\\n| mv-apply ConnectedNetworks on \\r\\n(\\r\\nwhere ConnectedNetworks.IsConnectedToInternet == true\\r\\n)\\r\\n| project DeviceName, DefaultGateways, IPv4Dhcp, IPv6Dhcp,MacAddress,MachineGroup, ConnectedNetworks.IsConnectedToInternet\",\"size\":0,\"title\":\"Internet Connected Devices for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkInfo\\r\\n| summarize arg_max(TimeGenerated,*) by DeviceId\\r\\n| summarize count() by MachineGroup\",\"size\":0,\"title\":\"Count By Machine Group for {TimeRange}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkInfo\\r\\n| summarize arg_max(TimeGenerated,*) by DeviceId\\r\\n| summarize count() by NetworkAdapterType, NetworkAdapterStatus\",\"size\":0,\"title\":\"Count By Network Adaptor\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 0 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkEvents\\r\\n| summarize count() by DeviceName, DeviceId,bin( TimeGenerated,5m)\",\"size\":0,\"title\":\"TimeSeries on Network Activity for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 0 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkEvents\\r\\n| where isnotempty(RemoteUrl)\\r\\n| summarize count() by RemoteUrl\\r\\n| order by count_ desc\\r\\n| limit 10\",\"size\":0,\"title\":\"Top 10 RemoteUrl accessed over TimeRange {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"query - 0 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// This query looks for Tor client, or for a common Tor plugin called Meek.\\r\\n// We query for active Tor connections, but could have alternatively looked for active Tor runs (ProcessCreateEvents) or Tor downloads (DeviceFileEvents)\\r\\n// To read more about this technique, see:\\r\\n// Tor: https://attack.mitre.org/wiki/Software/S0183#Techniques_Used\\r\\n// Meek plugin: https://attack.mitre.org/wiki/Software/S0175\\r\\n// Multi-hop proxy technique: https://attack.mitre.org/wiki/Technique/T1188\\r\\n// Tags: #Tor, #MultiHopProxy, #CnC\\r\\nDeviceNetworkEvents \\r\\n| where Timestamp < ago(3d) and InitiatingProcessFileName in~ (\\\"tor.exe\\\", \\\"meek-client.exe\\\")\\r\\n// Returns MD5 hashes of files used by Tor, to enable you to block them.\\r\\n// We count how prevalent each file is (by machines) and show examples for some of them (up to 5 machine names per hash).\\r\\n| summarize MachineCount=dcount(DeviceName), MachineNames=makeset(DeviceName, 5) by InitiatingProcessMD5\\r\\n| order by MachineCount desc\",\"size\":0,\"title\":\"Tor Clients for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Network\"},\"name\":\"groupNetwork\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\r\\n| summarize FileActivityCount = count() by DeviceName\",\"size\":0,\"title\":\"FileActivityCount per Device for {TimeRange}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\"},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\r\\n| summarize count() by InitiatingProcessAccountUpn\",\"size\":0,\"title\":\"Count by InitiatingProcessAccountUpn for {TimeRange}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\"},\"name\":\"query - 0 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"File\"},\"name\":\"groupFile\"}],\"fromTemplateId\":\"sentinel-MicrosoftDefenderForEndPoint\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -2457,7 +2463,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]",
"properties": {
- "description": "@{workbookKey=MicrosoftDefenderForEndPoint; logoFileName=Azure_Sentinel.svg; description=A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Defender For EndPoint; templateRelativePath=MicrosoftDefenderForEndPoint.json; subtitle=; provider=Microsoft Sentinel Community}.description",
+ "description": "@{workbookKey=MicrosoftDefenderForEndPoint; logoFileName=Azure_Sentinel.svg; description=A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through Microsoft Defender XDR Connector.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Defender For EndPoint; templateRelativePath=MicrosoftDefenderForEndPoint.json; subtitle=; provider=Microsoft Sentinel Community}.description",
"parentId": "[variables('workbookId2')]",
"contentId": "[variables('_workbookContentId2')]",
"kind": "Workbook",
@@ -2503,7 +2509,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MicrosoftDefenderForIdentityWorkbook Workbook with template version 3.0.1",
+ "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion3')]",
@@ -2600,7 +2606,7 @@
"contentSchemaVersion": "3.0.0",
"displayName": "Microsoft Defender XDR",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Microsoft Defender XDR solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.
\nAdditional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on GitHub. This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\n- Azure Monitor HTTP Data Collector API
\n
\nData Connectors: 1, Workbooks: 3, Analytic Rules: 10, Hunting Queries: 4
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Microsoft Defender XDR solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.
\nAdditional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on GitHub. This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\n- Azure Monitor HTTP Data Collector API
\n
\nData Connectors: 1, Workbooks: 3, Analytic Rules: 10, Hunting Queries: 4
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -2632,73 +2638,73 @@
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId5')]",
- "version": "[variables('analyticRuleVersion5')]"
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId6')]",
- "version": "[variables('analyticRuleVersion6')]"
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId7')]",
- "version": "[variables('analyticRuleVersion7')]"
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId8')]",
- "version": "[variables('analyticRuleVersion8')]"
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId9')]",
- "version": "[variables('analyticRuleVersion9')]"
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId10')]",
- "version": "[variables('analyticRuleVersion10')]"
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId2')]",
- "version": "[variables('huntingQueryVersion2')]"
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId3')]",
- "version": "[variables('huntingQueryVersion3')]"
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId4')]",
- "version": "[variables('huntingQueryVersion4')]"
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
+ "version": "[variables('huntingQueryObject4').huntingQueryVersion4]"
},
{
"kind": "Workbook",
diff --git a/Solutions/Microsoft Defender XDR/Workbooks/MicrosoftDefenderForEndPoint.json b/Solutions/Microsoft Defender XDR/Workbooks/MicrosoftDefenderForEndPoint.json
index 3a940997888..297e1d0139c 100644
--- a/Solutions/Microsoft Defender XDR/Workbooks/MicrosoftDefenderForEndPoint.json
+++ b/Solutions/Microsoft Defender XDR/Workbooks/MicrosoftDefenderForEndPoint.json
@@ -4,7 +4,7 @@
{
"type": 1,
"content": {
- "json": "## Microsoft Defender for Endpoint (Preview)\n---\n\nA wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector.\n\n\n"
+ "json": "## Microsoft Defender for Endpoint (Preview)\n---\n\nA workbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through Microsoft Defender XDR Connector.\n\n\n"
},
"name": "text - 2"
},