update semperis DSP solution

Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_EvidenceOfMimikatzDCShadowAttack.yaml

@@ -28,5 +28,5 @@ entityMappings:
         columnName: HostName
       - identifier: DnsDomain
         columnName: DnsDomain
-version: 1.0.1
+version: 2.0.6
 kind: Scheduled

Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_KerberoskrbtgtAccount.yaml

@@ -28,5 +28,5 @@ entityMappings:
         columnName: HostName
       - identifier: DnsDomain
         columnName: DnsDomain
-version: 1.0.2
+version: 2.0.6
 kind: Scheduled

Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_RecentsIDHistoryChangesOnADObjects.yaml

@@ -29,5 +29,5 @@ entityMappings:
         columnName: HostName
       - identifier: DnsDomain
         columnName: DnsDomain
-version: 1.0.2
+version: 2.0.6
 kind: Scheduled

Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_WellKnownPrivilegedSIDsInsIDHistory.yaml

@@ -29,5 +29,5 @@ entityMappings:
         columnName: HostName
       - identifier: DnsDomain
         columnName: DnsDomain
-version: 1.0.1
+version: 2.0.6
 kind: Scheduled

Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_ZerologonVulnerability.yaml

@@ -28,5 +28,5 @@ entityMappings:
         columnName: HostName
       - identifier: DnsDomain
         columnName: DnsDomain
-version: 1.0.2
+version: 2.0.6
 kind: Scheduled

Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Failed_Logons.yaml

@@ -49,5 +49,5 @@ eventGroupingSettings:
 alertDetailsOverride:
   alertDisplayNameFormat: Failed Logon -- Alert from Semperis Directory Services Protector
   alertDescriptionFormat: A failed logon was detected to the DSP system.
-version: 1.1.1
+version: 2.0.6
 kind: Scheduled

Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml

@@ -50,5 +50,5 @@ eventGroupingSettings:
 alertDetailsOverride:
   alertDisplayNameFormat: Critical Notification -- Alert from Semperis Directory Services Protector
   alertDescriptionFormat: A critical notification was created in the DSP system.
-version: 1.1.1
+version: 2.0.6
 kind: Scheduled

Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_RBAC_Changes.yaml

@@ -57,5 +57,5 @@ eventGroupingSettings:
 alertDetailsOverride:
   alertDisplayNameFormat: RBAC Change -- Alert from Semperis Directory Services Protector
   alertDescriptionFormat: A RBAC change was detected in the DSP system.
-version: 1.1.1
+version: 2.0.6
 kind: Scheduled

Solutions/Semperis Directory Services Protector/Data/Solution_Semperis.json

@@ -26,7 +26,7 @@
 		"Data Connectors/SemperisDSP-connector.json"
 	],
 	"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Semperis Directory Services Protector",
-	"Version": "2.0.5",
+	"Version": "2.0.6",
 	"Metadata": "SolutionMetadata.json",
 	"TemplateSpec": true,
 	"Is1Pconnector": false

Solutions/Semperis Directory Services Protector/Workbooks/SemperisDSPNotifications.json

@@ -82,7 +82,6 @@
             "name": "Severity",
             "type": 2,
             "typeSettings": {
-              "additionalResourceOptions": [],
               "showDefault": false
             },
             "jsonData": "[\r\n    { \"value\":\"Critical\", \"label\":\"Critical\" },\r\n    { \"value\":\"Warning\" , \"label\":\"Warning\" },\r\n    { \"value\":\"Informational\" , \"label\":\"Informational\" }\r\n]",
@@ -102,7 +101,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Event\r\n| where Source == 'Semperis-DSP-Notifications' \r\n| extend p1Xml = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-expand bagexpansion=array p1Xml\r\n| evaluate bag_unpack(p1Xml)\r\n| extend Key1=tostring(['@Name']), Value=['#text']\r\n| evaluate pivot(Key1, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, EventCategory, UserName, Type, _ResourceId)\r\n| where (isempty('{Time}') or (todatetime(timeCreated) >= todatetime('{Time:startISO}') and todatetime(timeCreated) <= todatetime('{Time:endISO}'))) and ((isempty('{RuleName}') or indexof(ruleName,'{RuleName}') > -1)) and ((isempty('{Severity}') or severity == '{Severity}'))\r\n| order by TimeGenerated desc\r\n| project ruleName, fullOperation\r\n",
+        "query": "SecurityEvent\r\n| where EventSourceName == 'Semperis-DSP-Notifications' \r\n| extend p1Xml = parse_xml(EventData).EventData.Data\r\n| mv-expand bagexpansion=array p1Xml\r\n| evaluate bag_unpack(p1Xml)\r\n| extend Name=column_ifexists(tostring('@Name'), ''), Value=column_ifexists('#text', '')\r\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\r\n| where (isempty('{Time}') or (todatetime(timeCreated) >= todatetime('{Time:startISO}') and todatetime(timeCreated) <= todatetime('{Time:endISO}'))) and ((isempty('{RuleName}') or indexof(ruleName,'{RuleName}') > -1)) and ((isempty('{Severity}') or severity == '{Severity}'))\r\n| order by TimeGenerated desc\r\n| project ruleName, severity, Computer, objectDN, timeCreated, fullOperation, attributeName, attributeValue, changedBy, originatingServerName\r\n",
         "size": 0,
         "title": "Notifications",
         "queryType": 0,