diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml index 58e330e28dc..6cbc6b6c4fa 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml @@ -1,7 +1,7 @@ id: 87cc75df-d7b2-44f1-b064-ee924edfc879 name: TI map Domain entity to EmailUrlInfo description: | - 'Identifies a match in EmailUrlInfo table from any Domain IOC from TI.' + Identifies a match in EmailUrlInfo table from any Domain IOC from TI. severity: Medium requiredDataConnectors: - connectorId: Office365 @@ -25,44 +25,60 @@ tactics: relevantTechniques: - T1566 query: | - let dt_lookBack = 1h; - let ioc_lookBack = 14d; - let EmailUrlInfo_ = materialize(EmailUrlInfo - | where isnotempty(UrlDomain) - | where TimeGenerated > ago(dt_lookBack) - | project-rename Email_Url = Url); - let Domains = EmailUrlInfo_ - | distinct UrlDomain - | summarize make_list(UrlDomain); - let Candidates = ThreatIntelligenceIndicator - | where isnotempty(DomainName) - | where TimeGenerated >= ago(ioc_lookBack) - | extend TI_Domain = tolower(DomainName) - | where TI_Domain in (Domains) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() - | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" - | join kind=innerunique EmailUrlInfo_ on $left.TI_Domain == $right.UrlDomain - | join kind=innerunique (EmailEvents | where TimeGenerated >= ago(dt_lookBack) | project-rename EmailEvents_TimeGenerated = TimeGenerated) on $left.NetworkMessageId == $right.NetworkMessageId - | where DeliveryLocation !has "Quarantine" - // Customize and uncomment the following line to remove security related mailboxes - //| where tolower(RecipientEmailAddress) !in ("secmailbox1@example.com", "secmailbox2@example.com") - | where EmailEvents_TimeGenerated < ExpirationDateTime - | summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, RecipientEmailAddress; - let Candidate_Domains = Candidates | distinct TI_Domain | summarize make_list(TI_Domain); - ThreatIntelligenceIndicator - | where isnotempty(Url) - | where TimeGenerated > ago(ioc_lookBack) - | extend Host = tostring(parse_url(Url).Host) - | where Host in (Candidate_Domains) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() - | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" - | join kind=innerunique (Candidates | extend parsed_url = parse_url(Email_Url) | extend BaseUrl = strcat(parsed_url.Scheme, "://", parsed_url.Host, parsed_url.Path)) on $left.Url == $right.BaseUrl - | where DeliveryAction !has "Blocked" - | project EmailEvents_TimeGenerated, RecipientEmailAddress, IndicatorId, TI_Domain, ConfidenceScore, Description, Tags, TrafficLightProtocolLevel, Url = Email_Url, DeliveryAction, DeliveryLocation, EmailDirection, NetworkMessageId, AuthenticationDetails, SenderFromAddress, SenderIPv4, Subject - | extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0]) - | extend timestamp = EmailEvents_TimeGenerated + let dt_lookBack = 1h; // Define the lookback period for email data as 1 hour + let ioc_lookBack = 14d; // Define the lookback period for threat intelligence data as 14 days + let EmailUrlInfo_ = EmailUrlInfo + | where isnotempty(Url) or isnotempty(UrlDomain) // Filter for non-empty URLs or URL domains + | where TimeGenerated >= ago(dt_lookBack) // Filter for records within the lookback period + | extend Url = tolower(Url), UrlDomain = tolower(UrlDomain) // Convert URLs and domains to lowercase + | extend EmailUrlInfo_TimeGenerated = TimeGenerated; // Create a new column for the time generated + let EmailEvents_ = EmailEvents + | where TimeGenerated >= ago(dt_lookBack); // Filter email events within the lookback period + let TI_Indicators = ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId + | where Active == true and ExpirationDateTime > now(); // Filter for active indicators that haven't expired + let TI_Urls = TI_Indicators + | where isnotempty(Url) // Filter for non-empty URLs + | extend Url = tolower(Url) // Convert URLs to lowercase + | join kind=innerunique (EmailUrlInfo_) on Url // Join with email URL info on URL + | where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired + | summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, Url // Get the latest email info for each indicator + | project + EmailUrlInfo_TimeGenerated, + Description, + ActivityGroupNames, + IndicatorId, + ThreatType, + ExpirationDateTime, + ConfidenceScore, + Url, + UrlLocation, + NetworkMessageId; // Select relevant columns + let TI_Domains = TI_Indicators + | where isnotempty(DomainName) // Filter for non-empty domain names + | extend DomainName = tolower(DomainName) // Convert domain names to lowercase + | join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain // Join with email URL info on domain name + | where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired + | summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, UrlDomain // Get the latest email info for each indicator + | project + EmailUrlInfo_TimeGenerated, + Description, + ActivityGroupNames, + IndicatorId, + ThreatType, + ExpirationDateTime, + ConfidenceScore, + UrlDomain, + UrlLocation, + NetworkMessageId; // Select relevant columns + union TI_Urls, TI_Domains // Combine URL and domain threat intelligence data + | extend timestamp = EmailUrlInfo_TimeGenerated // Add a timestamp column + | join kind=inner (EmailEvents_) on NetworkMessageId // Join with email events on network message ID + | where DeliveryAction !has "Blocked" // Filter out blocked delivery actions + | extend + Name = tostring(split(RecipientEmailAddress, '@', 0)), + UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)); // Extract name and UPN suffix from recipient email address entityMappings: - entityType: Account fieldMappings: @@ -76,5 +92,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_Workday.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_Workday.yaml new file mode 100644 index 00000000000..6a7ab357682 --- /dev/null +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_Workday.yaml @@ -0,0 +1,80 @@ +id: a924d317-03d2-4420-a71f-4d347bda4bd8 +name: TI map IP entity to Workday(ASimAuditEventLogs) +description: | + Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI). +severity: Medium +requiredDataConnectors: + - connectorId: ThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: Workday + dataTypes: + - Workday + - connectorId: MicrosoftDefenderThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - CommandAndControl +relevantTechniques: + - T1071 +query: | + let dtLookBack = 1h; // Define the lookback period for audit events + let ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators + ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period + | where isnotempty(NetworkIP) + or isnotempty(EmailSourceIpAddress) + or isnotempty(NetworkDestinationIP) + or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId + | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress) // Combine IP fields into a single entity + | where Active == true and ExpirationDateTime > now() // Filter for active indicators that have not expired + | join kind=inner ( + ASimAuditEventLogs + | where EventVendor == "Workday" // Filter for Workday events + | where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period + | where isnotempty(DvcIpAddr) // Filter for events with a device IP address + | extend WD_TimeGenerated = EventStartTime // Rename the event start time column + | project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns + ) + on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity + | project + LatestIndicatorTime, + Description, + ActivityGroupNames, + IndicatorId, + ThreatType, + Url, + ExpirationDateTime, + ConfidenceScore, + WD_TimeGenerated, + ActorUsername, + DvcIpAddr, + Operation, + Object // Select relevant columns after the join + | extend + timestamp = WD_TimeGenerated, + Name = tostring(split(ActorUsername, '@', 0)), + UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: ActorUsername + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix + - entityType: IP + fieldMappings: + - identifier: Address + columnName: DvcIpAddr +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json b/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json index 827bb65a3c0..3487118e055 100644 --- a/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json +++ b/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json @@ -72,7 +72,8 @@ "Analytic Rules/EmailEntity_CloudAppEvents.yaml", "Analytic Rules/FileHashEntity_CloudAppEvents.yaml", "Analytic Rules/IPEntity_CloudAppEvents.yaml", - "Analytic Rules/URLEntity_CloudAppEvents.yaml" + "Analytic Rules/URLEntity_CloudAppEvents.yaml", + "Analytic Rules/IPEntity_Workday.yaml" ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Threat Intelligence\\", diff --git a/Solutions/Threat Intelligence/Package/3.0.8.zip b/Solutions/Threat Intelligence/Package/3.0.8.zip index 9ad94b88a4c..f1b51f2a144 100644 Binary files a/Solutions/Threat Intelligence/Package/3.0.8.zip and b/Solutions/Threat Intelligence/Package/3.0.8.zip differ diff --git a/Solutions/Threat Intelligence/Package/3.0.9.zip b/Solutions/Threat Intelligence/Package/3.0.9.zip new file mode 100644 index 00000000000..d38de41431f Binary files /dev/null and b/Solutions/Threat Intelligence/Package/3.0.9.zip differ diff --git a/Solutions/Threat Intelligence/Package/createUiDefinition.json b/Solutions/Threat Intelligence/Package/createUiDefinition.json index e569979ed0a..72b5e9731f2 100644 --- a/Solutions/Threat Intelligence/Package/createUiDefinition.json +++ b/Solutions/Threat Intelligence/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 5, **Workbooks:** 1, **Analytic Rules:** 52, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 5, **Workbooks:** 1, **Analytic Rules:** 53, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -67,84 +67,28 @@ "name": "dataconnectors2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The data connectors installed are:" + "text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { - "name": "DC1", - "type": "Microsoft.Common.Section", - "label": "(1)\t\tThreat Intelligence Platforms", - "elements": [ - { - "name": "DC1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Use this connector to send threat indicators to Microsoft Sentinel from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MindMeld, MISP, or other integrated applications." - } - } - ] - }, - { - "name": "DC2", - "type": "Microsoft.Common.Section", - "label": "(2)\t\tThreat Intelligence - TAXII", - "elements": [ - { - "name": "DC1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Use this connector to bring in threat intelligence to Microsoft Sentinel from a TAXII 2.0 or 2.1 server." - } - } - ] - }, - { - "name": "DC3", - "type": "Microsoft.Common.Section", - "label": "(3)\t\tThreat Intelligence Upload Indicators API", - "elements": [ - { - "name": "DC1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Microsoft Sentinel offer a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses." - } - } - ] - }, - { - "name": "DC4", - "type": "Microsoft.Common.Section", - "label": "(4)\t\tMicrosoft Defender Threat Intelligence", - "elements": [ - { - "name": "DC1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc." - } - } - ] + "name": "dataconnectors3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } }, { - "name": "DC5", - "type": "Microsoft.Common.Section", - "label": "(5)\t\tPremium Microsoft Defender Threat Intelligence", - "elements": [ - { - "name": "DC1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc. Note: This is a paid connector. To use and ingest data from it, please purchase the \"MDTI API Access\" SKU from the Partner Center." - } - } - ] + "name": "dataconnectors4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } }, { - "name": "dataconnectors3-text", + "name": "dataconnectors5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "After installing the solution, configure and enable these data connectors by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { @@ -954,6 +898,20 @@ } } ] + }, + { + "name": "analytic53", + "type": "Microsoft.Common.Section", + "label": "TI map IP entity to Workday(ASimAuditEventLogs)", + "elements": [ + { + "name": "analytic53-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI)." + } + } + ] } ] }, diff --git a/Solutions/Threat Intelligence/Package/mainTemplate.json b/Solutions/Threat Intelligence/Package/mainTemplate.json index 2886a3b99ff..625fc627722 100644 --- a/Solutions/Threat Intelligence/Package/mainTemplate.json +++ b/Solutions/Threat Intelligence/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Threat Intelligence", - "_solutionVersion": "3.0.8", + "_solutionVersion": "3.0.9", "solutionId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ThreatIntelligenceTaxii", @@ -150,11 +150,11 @@ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','96307710-8bb9-4b45-8363-a90c72ebf86f','-', '1.0.2')))]" }, "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.2", + "analyticRuleVersion5": "1.0.3", "_analyticRulecontentId5": "87cc75df-d7b2-44f1-b064-ee924edfc879", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '87cc75df-d7b2-44f1-b064-ee924edfc879')]", "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('87cc75df-d7b2-44f1-b064-ee924edfc879')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','87cc75df-d7b2-44f1-b064-ee924edfc879','-', '1.0.2')))]" + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','87cc75df-d7b2-44f1-b064-ee924edfc879','-', '1.0.3')))]" }, "analyticRuleObject6": { "analyticRuleVersion6": "1.0.6", @@ -485,8 +485,14 @@ "analyticRuleTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e8ae92dd-1d41-4530-8be8-85c5014c7b47')))]", "_analyticRulecontentProductId52": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e8ae92dd-1d41-4530-8be8-85c5014c7b47','-', '1.0.3')))]" }, - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", - "management": "[concat('https://management','.azure','.com/')]" + "analyticRuleObject53": { + "analyticRuleVersion53": "1.0.0", + "_analyticRulecontentId53": "a924d317-03d2-4420-a71f-4d347bda4bd8", + "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a924d317-03d2-4420-a71f-4d347bda4bd8')]", + "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a924d317-03d2-4420-a71f-4d347bda4bd8')))]", + "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a924d317-03d2-4420-a71f-4d347bda4bd8','-', '1.0.0')))]" + }, + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { @@ -498,7 +504,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.8", + "description": "Threat Intelligence data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -657,7 +663,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.8", + "description": "Threat Intelligence data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -816,7 +822,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.8", + "description": "Threat Intelligence data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion3')]", @@ -890,7 +896,7 @@ "title": "Follow These Steps to Connect to your Threat Intelligence: " }, { - "description": "[concat('To send request to the APIs, you need to acquire Azure Active Directory access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request AAD access token with scope value: ', variables('management'), '.default')]", + "description": "To send request to the APIs, you need to acquire Microsoft Entra ID access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request Microsoft Entra ID access token with scope value: https://management.azure.com/.default ", "title": "1. Get Microsoft Entra ID Access Token" }, { @@ -1038,7 +1044,7 @@ "title": "Follow These Steps to Connect to your Threat Intelligence: " }, { - "description": "[concat('To send request to the APIs, you need to acquire Azure Active Directory access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request AAD access token with scope value: ', variables('management'), '.default')]", + "description": "To send request to the APIs, you need to acquire Microsoft Entra ID access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request Microsoft Entra ID access token with scope value: https://management.azure.com/.default ", "title": "1. Get Microsoft Entra ID Access Token" }, { @@ -1059,7 +1065,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.8", + "description": "Threat Intelligence data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion4')]", @@ -1078,7 +1084,8 @@ "title": "Premium Microsoft Defender Threat Intelligence", "publisher": "Microsoft", "logo": { - "type": 258 + "type": 258, + "options": null }, "descriptionMarkdown": "Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc. Note: This is a paid connector. To use and ingest data from it, please purchase the \"MDTI API Access\" SKU from the Partner Center.", "graphQueries": [ @@ -1327,7 +1334,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.8", + "description": "Threat Intelligence data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion5')]", @@ -1486,7 +1493,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ThreatIntelligence Workbook with template version 3.0.8", + "description": "ThreatIntelligence Workbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1590,7 +1597,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.8", + "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -1671,7 +1678,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.8", + "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -1752,7 +1759,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.8", + "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1833,7 +1840,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.8", + "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -1914,7 +1921,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.8", + "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -1995,7 +2002,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -2051,8 +2058,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -2060,8 +2067,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -2069,8 +2076,8 @@ { "fieldMappings": [ { - "columnName": "PA_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "PA_Url" } ], "entityType": "URL" @@ -2129,7 +2136,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -2191,12 +2198,12 @@ { "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -2204,8 +2211,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -2213,8 +2220,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -2222,8 +2229,8 @@ { "fieldMappings": [ { - "columnName": "InitiatingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "InitiatingProcessCommandLine" } ], "entityType": "Process" @@ -2282,7 +2289,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -2344,16 +2351,16 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -2361,8 +2368,8 @@ { "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ], "entityType": "IP" @@ -2370,8 +2377,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -2430,7 +2437,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -2492,16 +2499,16 @@ { "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -2560,7 +2567,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2577,7 +2584,7 @@ "description": "Identifies a match in EmailUrlInfo table from any Domain IOC from TI.", "displayName": "TI map Domain entity to EmailUrlInfo", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet EmailUrlInfo_ = materialize(EmailUrlInfo\n| where isnotempty(UrlDomain)\n| where TimeGenerated > ago(dt_lookBack)\n| project-rename Email_Url = Url);\nlet Domains = EmailUrlInfo_\n| distinct UrlDomain\n| summarize make_list(UrlDomain);\nlet Candidates = ThreatIntelligenceIndicator\n| where isnotempty(DomainName)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend TI_Domain = tolower(DomainName)\n| where TI_Domain in (Domains)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique EmailUrlInfo_ on $left.TI_Domain == $right.UrlDomain\n| join kind=innerunique (EmailEvents | where TimeGenerated >= ago(dt_lookBack) | project-rename EmailEvents_TimeGenerated = TimeGenerated) on $left.NetworkMessageId == $right.NetworkMessageId\n| where DeliveryLocation !has \"Quarantine\"\n// Customize and uncomment the following line to remove security related mailboxes\n//| where tolower(RecipientEmailAddress) !in (\"secmailbox1@example.com\", \"secmailbox2@example.com\")\n| where EmailEvents_TimeGenerated < ExpirationDateTime\n| summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, RecipientEmailAddress;\nlet Candidate_Domains = Candidates | distinct TI_Domain | summarize make_list(TI_Domain);\nThreatIntelligenceIndicator\n| where isnotempty(Url)\n| where TimeGenerated > ago(ioc_lookBack)\n| extend Host = tostring(parse_url(Url).Host)\n| where Host in (Candidate_Domains)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (Candidates | extend parsed_url = parse_url(Email_Url) | extend BaseUrl = strcat(parsed_url.Scheme, \"://\", parsed_url.Host, parsed_url.Path)) on $left.Url == $right.BaseUrl\n| where DeliveryAction !has \"Blocked\"\n| project EmailEvents_TimeGenerated, RecipientEmailAddress, IndicatorId, TI_Domain, ConfidenceScore, Description, Tags, TrafficLightProtocolLevel, Url = Email_Url, DeliveryAction, DeliveryLocation, EmailDirection, NetworkMessageId, AuthenticationDetails, SenderFromAddress, SenderIPv4, Subject\n| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])\n| extend timestamp = EmailEvents_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Define the lookback period for email data as 1 hour\nlet ioc_lookBack = 14d; // Define the lookback period for threat intelligence data as 14 days\nlet EmailUrlInfo_ = EmailUrlInfo\n | where isnotempty(Url) or isnotempty(UrlDomain) // Filter for non-empty URLs or URL domains\n | where TimeGenerated >= ago(dt_lookBack) // Filter for records within the lookback period\n | extend Url = tolower(Url), UrlDomain = tolower(UrlDomain) // Convert URLs and domains to lowercase\n | extend EmailUrlInfo_TimeGenerated = TimeGenerated; // Create a new column for the time generated\nlet EmailEvents_ = EmailEvents\n | where TimeGenerated >= ago(dt_lookBack); // Filter email events within the lookback period\nlet TI_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId\n | where Active == true and ExpirationDateTime > now(); // Filter for active indicators that haven't expired\nlet TI_Urls = TI_Indicators\n | where isnotempty(Url) // Filter for non-empty URLs\n | extend Url = tolower(Url) // Convert URLs to lowercase\n | join kind=innerunique (EmailUrlInfo_) on Url // Join with email URL info on URL\n | where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired\n | summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, Url // Get the latest email info for each indicator\n | project\n EmailUrlInfo_TimeGenerated,\n Description,\n ActivityGroupNames,\n IndicatorId,\n ThreatType,\n ExpirationDateTime,\n ConfidenceScore,\n Url,\n UrlLocation,\n NetworkMessageId; // Select relevant columns\nlet TI_Domains = TI_Indicators\n | where isnotempty(DomainName) // Filter for non-empty domain names\n | extend DomainName = tolower(DomainName) // Convert domain names to lowercase\n | join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain // Join with email URL info on domain name\n | where EmailUrlInfo_TimeGenerated < ExpirationDateTime // Ensure email info was generated before the indicator expired\n | summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, UrlDomain // Get the latest email info for each indicator\n | project\n EmailUrlInfo_TimeGenerated,\n Description,\n ActivityGroupNames,\n IndicatorId,\n ThreatType,\n ExpirationDateTime,\n ConfidenceScore,\n UrlDomain,\n UrlLocation,\n NetworkMessageId; // Select relevant columns\nunion TI_Urls, TI_Domains // Combine URL and domain threat intelligence data\n | extend timestamp = EmailUrlInfo_TimeGenerated // Add a timestamp column\n | join kind=inner (EmailEvents_) on NetworkMessageId // Join with email events on network message ID\n | where DeliveryAction !has \"Blocked\" // Filter out blocked delivery actions\n | extend\n Name = tostring(split(RecipientEmailAddress, '@', 0)),\n UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)); // Extract name and UPN suffix from recipient email address\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2622,16 +2629,16 @@ { "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -2639,8 +2646,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -2699,7 +2706,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2767,8 +2774,8 @@ { "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ], "entityType": "IP" @@ -2776,25 +2783,25 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" } ], "customDetails": { - "IoCExpirationTime": "ExpirationDateTime", "ActivityGroupNames": "ActivityGroupNames", "IndicatorId": "IndicatorId", - "IoCConfidenceScore": "ConfidenceScore", + "IoCExpirationTime": "ExpirationDateTime", "IoCDescription": "Description", - "ThreatType": "ThreatType", - "EventTime": "Event_TimeGenerated" + "EventTime": "Event_TimeGenerated", + "IoCConfidenceScore": "ConfidenceScore", + "ThreatType": "ThreatType" }, "alertDetailsOverride": { - "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", - "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC" + "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC", + "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator." } } }, @@ -2849,7 +2856,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2911,8 +2918,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -2920,8 +2927,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -2929,8 +2936,8 @@ { "fieldMappings": [ { - "columnName": "PA_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "PA_Url" } ], "entityType": "URL" @@ -2989,7 +2996,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -3057,8 +3064,8 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" } ], "entityType": "Host" @@ -3066,8 +3073,8 @@ { "fieldMappings": [ { - "columnName": "IP_addr", - "identifier": "Address" + "identifier": "Address", + "columnName": "IP_addr" } ], "entityType": "IP" @@ -3075,8 +3082,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -3135,7 +3142,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -3197,16 +3204,16 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -3214,8 +3221,8 @@ { "fieldMappings": [ { - "columnName": "HostIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "HostIP" } ], "entityType": "IP" @@ -3223,8 +3230,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -3283,7 +3290,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -3345,16 +3352,16 @@ { "fieldMappings": [ { - "columnName": "Caller", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Caller" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -3362,8 +3369,8 @@ { "fieldMappings": [ { - "columnName": "CallerIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "CallerIpAddress" } ], "entityType": "IP" @@ -3371,8 +3378,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -3431,7 +3438,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -3493,16 +3500,16 @@ { "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -3561,7 +3568,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -3623,16 +3630,16 @@ { "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -3640,8 +3647,8 @@ { "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ], "entityType": "IP" @@ -3649,8 +3656,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -3709,7 +3716,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -3771,8 +3778,8 @@ { "fieldMappings": [ { - "columnName": "DestinationUserID", - "identifier": "Name" + "identifier": "Name", + "columnName": "DestinationUserID" } ], "entityType": "Account" @@ -3780,8 +3787,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -3789,8 +3796,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -3849,7 +3856,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -3911,16 +3918,16 @@ { "fieldMappings": [ { - "columnName": "EntityEmail", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "EntityEmail" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -3928,8 +3935,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -3988,7 +3995,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -4062,8 +4069,8 @@ { "fieldMappings": [ { - "columnName": "TargetUserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetUserName" } ], "entityType": "Account" @@ -4071,12 +4078,12 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4084,8 +4091,8 @@ { "fieldMappings": [ { - "columnName": "IpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IpAddress" } ], "entityType": "IP" @@ -4093,8 +4100,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -4153,7 +4160,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", @@ -4221,16 +4228,16 @@ { "fieldMappings": [ { - "columnName": "UserPrincipalName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserPrincipalName" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -4238,8 +4245,8 @@ { "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } ], "entityType": "IP" @@ -4247,8 +4254,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -4307,7 +4314,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", @@ -4369,16 +4376,16 @@ { "fieldMappings": [ { - "columnName": "SourceUserName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "SourceUserName" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -4386,16 +4393,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4403,8 +4410,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -4412,8 +4419,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -4421,12 +4428,12 @@ { "fieldMappings": [ { - "columnName": "FileHashValue", - "identifier": "Value" + "identifier": "Value", + "columnName": "FileHashValue" }, { - "columnName": "FileHashType", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashType" } ], "entityType": "FileHash" @@ -4485,7 +4492,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_DeviceFileEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "FileHashEntity_DeviceFileEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", @@ -4547,16 +4554,16 @@ { "fieldMappings": [ { - "columnName": "RequestAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "RequestAccountName" }, { - "columnName": "RequestAccountSid", - "identifier": "Sid" + "identifier": "Sid", + "columnName": "RequestAccountSid" }, { - "columnName": "RequestAccountDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "RequestAccountDomain" } ], "entityType": "Account" @@ -4564,12 +4571,12 @@ { "fieldMappings": [ { - "columnName": "FileHashValue", - "identifier": "Value" + "identifier": "Value", + "columnName": "FileHashValue" }, { - "columnName": "FileHashType", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashType" } ], "entityType": "FileHash" @@ -4577,8 +4584,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -4637,7 +4644,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", @@ -4711,16 +4718,16 @@ { "fieldMappings": [ { - "columnName": "Account", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Account" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -4728,16 +4735,16 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4745,8 +4752,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -4754,12 +4761,12 @@ { "fieldMappings": [ { - "columnName": "FileHashValue", - "identifier": "Value" + "identifier": "Value", + "columnName": "FileHashValue" }, { - "columnName": "FileHashType", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashType" } ], "entityType": "FileHash" @@ -4818,7 +4825,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", @@ -4874,12 +4881,12 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4887,8 +4894,8 @@ { "fieldMappings": [ { - "columnName": "CsUsername", - "identifier": "Name" + "identifier": "Name", + "columnName": "CsUsername" } ], "entityType": "Account" @@ -4896,8 +4903,8 @@ { "fieldMappings": [ { - "columnName": "CIp", - "identifier": "Address" + "identifier": "Address", + "columnName": "CIp" } ], "entityType": "IP" @@ -4905,8 +4912,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -4914,8 +4921,8 @@ { "fieldMappings": [ { - "columnName": "_ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "_ResourceId" } ], "entityType": "AzureResource" @@ -4977,7 +4984,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", @@ -5039,8 +5046,8 @@ { "fieldMappings": [ { - "columnName": "UserIdentityUserName", - "identifier": "ObjectGuid" + "identifier": "ObjectGuid", + "columnName": "UserIdentityUserName" } ], "entityType": "Account" @@ -5048,8 +5055,8 @@ { "fieldMappings": [ { - "columnName": "SourceIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIpAddress" } ], "entityType": "IP" @@ -5057,8 +5064,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -5117,7 +5124,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", @@ -5179,16 +5186,16 @@ { "fieldMappings": [ { - "columnName": "Caller", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Caller" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -5196,8 +5203,8 @@ { "fieldMappings": [ { - "columnName": "AadUserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "AadUserId" } ], "entityType": "Account" @@ -5205,8 +5212,8 @@ { "fieldMappings": [ { - "columnName": "CallerIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "CallerIpAddress" } ], "entityType": "IP" @@ -5214,8 +5221,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -5223,8 +5230,8 @@ { "fieldMappings": [ { - "columnName": "ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "ResourceId" } ], "entityType": "AzureResource" @@ -5283,7 +5290,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", @@ -5345,8 +5352,8 @@ { "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } ], "entityType": "IP" @@ -5354,8 +5361,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -5414,7 +5421,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", @@ -5476,8 +5483,8 @@ { "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ], "entityType": "IP" @@ -5485,8 +5492,8 @@ { "fieldMappings": [ { - "columnName": "ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "ResourceId" } ], "entityType": "AzureResource" @@ -5545,7 +5552,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", @@ -5601,16 +5608,16 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -5618,8 +5625,8 @@ { "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } ], "entityType": "IP" @@ -5627,8 +5634,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -5687,7 +5694,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", @@ -5749,8 +5756,8 @@ { "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ], "entityType": "IP" @@ -5809,7 +5816,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", @@ -5871,8 +5878,8 @@ { "fieldMappings": [ { - "columnName": "CS_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "CS_ipEntity" } ], "entityType": "IP" @@ -5931,7 +5938,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", @@ -5993,12 +6000,12 @@ { "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -6006,8 +6013,8 @@ { "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } ], "entityType": "IP" @@ -6015,8 +6022,8 @@ { "fieldMappings": [ { - "columnName": "RemoteUrl", - "identifier": "Url" + "identifier": "Url", + "columnName": "RemoteUrl" } ], "entityType": "URL" @@ -6024,8 +6031,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -6084,7 +6091,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", @@ -6146,16 +6153,16 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -6163,8 +6170,8 @@ { "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ], "entityType": "IP" @@ -6172,8 +6179,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -6232,7 +6239,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", @@ -6300,25 +6307,25 @@ { "fieldMappings": [ { - "columnName": "DstIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "DstIpAddr" } ], "entityType": "IP" } ], "customDetails": { - "IoCExpirationTime": "ExpirationDateTime", "ActivityGroupNames": "ActivityGroupNames", "IndicatorId": "IndicatorId", - "IoCConfidenceScore": "ConfidenceScore", + "IoCExpirationTime": "ExpirationDateTime", "IoCDescription": "Description", - "ThreatType": "ThreatType", - "EventTime": "imNWS_TimeGenerated" + "EventTime": "imNWS_TimeGenerated", + "IoCConfidenceScore": "ConfidenceScore", + "ThreatType": "ThreatType" }, "alertDetailsOverride": { - "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.", - "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC" + "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC", + "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator." } } }, @@ -6373,7 +6380,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", @@ -6435,16 +6442,16 @@ { "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -6452,8 +6459,8 @@ { "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } ], "entityType": "IP" @@ -6461,8 +6468,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -6521,7 +6528,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", @@ -6589,16 +6596,16 @@ { "fieldMappings": [ { - "columnName": "UserPrincipalName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserPrincipalName" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -6606,8 +6613,8 @@ { "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } ], "entityType": "IP" @@ -6615,8 +6622,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -6675,7 +6682,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", @@ -6737,12 +6744,12 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -6750,8 +6757,8 @@ { "fieldMappings": [ { - "columnName": "RemoteIp", - "identifier": "Address" + "identifier": "Address", + "columnName": "RemoteIp" } ], "entityType": "IP" @@ -6759,8 +6766,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -6819,7 +6826,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", @@ -6881,8 +6888,8 @@ { "fieldMappings": [ { - "columnName": "csUserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "csUserName" } ], "entityType": "Account" @@ -6890,8 +6897,8 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Computer" } ], "entityType": "Host" @@ -6899,8 +6906,8 @@ { "fieldMappings": [ { - "columnName": "cIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "cIP" } ], "entityType": "IP" @@ -6908,8 +6915,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -6968,7 +6975,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", @@ -7030,16 +7037,16 @@ { "fieldMappings": [ { - "columnName": "userPrincipalName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "userPrincipalName" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ], "entityType": "Account" @@ -7047,16 +7054,16 @@ { "fieldMappings": [ { - "columnName": "TargetResourceDisplayName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "TargetResourceDisplayName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -7064,8 +7071,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -7124,7 +7131,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", @@ -7186,12 +7193,12 @@ { "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -7199,8 +7206,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -7208,8 +7215,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -7217,8 +7224,8 @@ { "fieldMappings": [ { - "columnName": "InitiatingProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "InitiatingProcessCommandLine" } ], "entityType": "Process" @@ -7277,7 +7284,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", @@ -7339,16 +7346,16 @@ { "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -7356,8 +7363,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -7416,7 +7423,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", @@ -7478,16 +7485,16 @@ { "fieldMappings": [ { - "columnName": "User", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "User" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -7495,8 +7502,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -7555,7 +7562,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", @@ -7617,8 +7624,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -7626,8 +7633,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -7635,8 +7642,8 @@ { "fieldMappings": [ { - "columnName": "PA_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "PA_Url" } ], "entityType": "URL" @@ -7695,7 +7702,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", @@ -7763,8 +7770,8 @@ { "fieldMappings": [ { - "columnName": "Compromised_Host", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Compromised_Host" } ], "entityType": "Host" @@ -7772,8 +7779,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -7832,7 +7839,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", @@ -7894,8 +7901,8 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "Computer" } ], "entityType": "Host" @@ -7903,8 +7910,8 @@ { "fieldMappings": [ { - "columnName": "HostIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "HostIP" } ], "entityType": "IP" @@ -7912,8 +7919,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -7972,7 +7979,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_UrlClickEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_UrlClickEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", @@ -8034,16 +8041,16 @@ { "fieldMappings": [ { - "columnName": "AccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountUpn" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -8051,8 +8058,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -8111,7 +8118,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", @@ -8173,16 +8180,16 @@ { "fieldMappings": [ { - "columnName": "user_name_s", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "user_name_s" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -8190,8 +8197,8 @@ { "fieldMappings": [ { - "columnName": "access_device_ip_s", - "identifier": "Address" + "identifier": "Address", + "columnName": "access_device_ip_s" } ], "entityType": "IP" @@ -8250,7 +8257,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", @@ -8354,16 +8361,16 @@ { "fieldMappings": [ { - "columnName": "Dvc", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Dvc" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -8371,8 +8378,8 @@ { "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ], "entityType": "IP" @@ -8380,8 +8387,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -8389,25 +8396,25 @@ { "fieldMappings": [ { - "columnName": "Domain", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "Domain" } ], "entityType": "DNS" } ], "customDetails": { - "LatestIndicatorTime": "LatestIndicatorTime", "DnsQuery": "DnsQuery", + "LatestIndicatorTime": "LatestIndicatorTime", + "DNSRequestTime": "DNS_TimeGenerated", + "ConfidenceScore": "ConfidenceScore", "ExpirationDateTime": "ExpirationDateTime", - "Description": "Description", "SourceIPAddress": "SrcIpAddr", - "ConfidenceScore": "ConfidenceScore", "ActivityGroupNames": "ActivityGroupNames", "IndicatorId": "IndicatorId", "QueryType": "DnsQueryType", - "ThreatType": "ThreatType", - "DNSRequestTime": "DNS_TimeGenerated" + "Description": "Description", + "ThreatType": "ThreatType" } } }, @@ -8462,7 +8469,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", @@ -8566,8 +8573,8 @@ { "fieldMappings": [ { - "columnName": "Dvc", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Dvc" } ], "entityType": "Host" @@ -8575,8 +8582,8 @@ { "fieldMappings": [ { - "columnName": "IoC", - "identifier": "Address" + "identifier": "Address", + "columnName": "IoC" } ], "entityType": "IP" @@ -8584,28 +8591,28 @@ { "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ], "entityType": "IP" } ], "customDetails": { - "LatestIndicatorTime": "LatestIndicatorTime", "DnsQuery": "DnsQuery", + "LatestIndicatorTime": "LatestIndicatorTime", + "DNSRequestTime": "imDns_mintime", + "ConfidenceScore": "ConfidenceScore", "ExpirationDateTime": "ExpirationDateTime", - "Description": "Description", "SourceIPAddress": "SrcIpAddr", - "ConfidenceScore": "ConfidenceScore", "ActivityGroupNames": "ActivityGroupNames", "IndicatorId": "IndicatorId", - "ThreatType": "ThreatType", - "DNSRequestTime": "imDns_mintime" + "Description": "Description", + "ThreatType": "ThreatType" }, "alertDetailsOverride": { - "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", - "alertDisplayNameFormat": "The response {{IoC}} to DNS query matched an IoC" + "alertDisplayNameFormat": "The response {{IoC}} to DNS query matched an IoC", + "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator." } } }, @@ -8660,7 +8667,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", @@ -8807,8 +8814,8 @@ { "fieldMappings": [ { - "columnName": "IoCIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "IoCIP" } ], "entityType": "IP" @@ -8816,18 +8823,18 @@ ], "customDetails": { "IoCIPDirection": "IoCDirection", - "IoCExpirationTime": "ExpirationDateTime", - "IndicatorId": "IndicatorId", - "ActivityGroupNames": "ActivityGroupNames", "EventStartTime": "imNWS_mintime", "EventEndTime": "imNWS_maxtime", + "IndicatorId": "IndicatorId", + "ActivityGroupNames": "ActivityGroupNames", + "IoCExpirationTime": "ExpirationDateTime", "IoCDescription": "Description", - "ThreatType": "ThreatType", - "IoCConfidenceScore": "ConfidenceScore" + "IoCConfidenceScore": "ConfidenceScore", + "ThreatType": "ThreatType" }, "alertDetailsOverride": { - "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.", - "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC." + "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.", + "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator." } } }, @@ -8882,7 +8889,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", @@ -8938,8 +8945,8 @@ { "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountCustomEntity" } ], "entityType": "Account" @@ -8947,8 +8954,8 @@ { "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ], "entityType": "IP" @@ -9007,7 +9014,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "DomainEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", @@ -9057,8 +9064,8 @@ { "fieldMappings": [ { - "columnName": "DomainName", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "DomainName" } ], "entityType": "DNS" @@ -9066,8 +9073,8 @@ { "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } ], "entityType": "IP" @@ -9126,7 +9133,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "EmailEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", @@ -9176,16 +9183,16 @@ { "fieldMappings": [ { - "columnName": "Name", - "identifier": "DisplayName" + "identifier": "DisplayName", + "columnName": "Name" }, { - "columnName": "User_Id", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "User_Id" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -9244,7 +9251,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "FileHashEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]", @@ -9300,8 +9307,8 @@ { "fieldMappings": [ { - "columnName": "DestinationIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "DestinationIP" } ], "entityType": "IP" @@ -9309,8 +9316,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -9318,8 +9325,8 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "DeviceName" } ], "entityType": "Host" @@ -9327,12 +9334,12 @@ { "fieldMappings": [ { - "columnName": "FileHashValue", - "identifier": "Value" + "identifier": "Value", + "columnName": "FileHashValue" }, { - "columnName": "FileHashType", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashType" } ], "entityType": "FileHash" @@ -9391,7 +9398,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "IPEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]", @@ -9441,8 +9448,8 @@ { "fieldMappings": [ { - "columnName": "TI_ipEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "TI_ipEntity" } ], "entityType": "IP" @@ -9450,8 +9457,8 @@ { "fieldMappings": [ { - "columnName": "NetworkDestinationIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "NetworkDestinationIP" } ], "entityType": "IP" @@ -9459,8 +9466,8 @@ { "fieldMappings": [ { - "columnName": "NetworkSourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "NetworkSourceIP" } ], "entityType": "IP" @@ -9468,8 +9475,8 @@ { "fieldMappings": [ { - "columnName": "EmailSourceIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "EmailSourceIPAddress" } ], "entityType": "IP" @@ -9528,7 +9535,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "URLEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]", @@ -9578,16 +9585,16 @@ { "fieldMappings": [ { - "columnName": "AccountObjectId", - "identifier": "ObjectGuid" + "identifier": "ObjectGuid", + "columnName": "AccountObjectId" }, { - "columnName": "userPrincipalName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "userPrincipalName" }, { - "columnName": "AccountDisplayName", - "identifier": "DisplayName" + "identifier": "DisplayName", + "columnName": "AccountDisplayName" } ], "entityType": "Account" @@ -9595,8 +9602,8 @@ { "fieldMappings": [ { - "columnName": "Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Url" } ], "entityType": "URL" @@ -9604,8 +9611,8 @@ { "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } ], "entityType": "IP" @@ -9613,12 +9620,12 @@ { "fieldMappings": [ { - "columnName": "Application", - "identifier": "Name" + "identifier": "Name", + "columnName": "Application" }, { - "columnName": "ApplicationID", - "identifier": "AppId" + "identifier": "AppId", + "columnName": "ApplicationID" } ], "entityType": "CloudApplication" @@ -9668,17 +9675,156 @@ "version": "[variables('analyticRuleObject52').analyticRuleVersion52]" } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject53').analyticRuleTemplateSpecName53]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "IPEntity_Workday_AnalyticalRules Analytics Rule with template version 3.0.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects a match in Workday activity from any IP Indicator of Compromise (IOC) provided by Threat Intelligence (TI).", + "displayName": "TI map IP entity to Workday(ASimAuditEventLogs)", + "enabled": false, + "query": "let dtLookBack = 1h; // Define the lookback period for audit events\nlet ioc_lookBack = 14d; // Define the lookback period for threat intelligence indicators\nThreatIntelligenceIndicator \n| where TimeGenerated >= ago(ioc_lookBack) // Filter threat intelligence indicators within the lookback period\n| where isnotempty(NetworkIP)\n or isnotempty(EmailSourceIpAddress)\n or isnotempty(NetworkDestinationIP)\n or isnotempty(NetworkSourceIP) // Filter for indicators with relevant IP fields\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId // Get the latest indicator time for each IndicatorId\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress) // Combine IP fields into a single entity\n | where Active == true and ExpirationDateTime > now() // Filter for active indicators that have not expired\n | join kind=inner (\n ASimAuditEventLogs\n | where EventVendor == \"Workday\" // Filter for Workday events\n | where TimeGenerated >= ago(dtLookBack) // Filter events within the lookback period\n | where isnotempty(DvcIpAddr) // Filter for events with a device IP address\n | extend WD_TimeGenerated = EventStartTime // Rename the event start time column\n | project WD_TimeGenerated, ActorUsername, DvcIpAddr, Operation, Object // Select relevant columns\n )\n on $left.TI_ipEntity == $right.DvcIpAddr // Join on the IP entity\n | project\n LatestIndicatorTime,\n Description,\n ActivityGroupNames,\n IndicatorId,\n ThreatType,\n Url,\n ExpirationDateTime,\n ConfidenceScore,\n WD_TimeGenerated,\n ActorUsername,\n DvcIpAddr,\n Operation,\n Object // Select relevant columns after the join\n | extend\n timestamp = WD_TimeGenerated,\n Name = tostring(split(ActorUsername, '@', 0)),\n UPNSuffix = tostring(split(ActorUsername, '@', 1)) // Add additional fields for timestamp, name, and UPN suffix \n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "ThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "ThreatIntelligenceTaxii", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "Workday", + "dataTypes": [ + "Workday" + ] + }, + { + "connectorId": "MicrosoftDefenderThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + } + ], + "tactics": [ + "CommandAndControl" + ], + "techniques": [ + "T1071" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "ActorUsername" + }, + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "DvcIpAddr" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject53').analyticRuleId53,'/'))))]", + "properties": { + "description": "Threat Intelligence Analytics Rule 53", + "parentId": "[variables('analyticRuleObject53').analyticRuleId53]", + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]", + "source": { + "kind": "Solution", + "name": "Threat Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "contentKind": "AnalyticsRule", + "displayName": "TI map IP entity to Workday(ASimAuditEventLogs)", + "contentProductId": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", + "id": "[variables('analyticRuleObject53')._analyticRulecontentProductId53]", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]" + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.8", + "version": "3.0.9", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Threat Intelligence", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.

\n

Data Connectors: 5, Workbooks: 1, Analytic Rules: 52, Hunting Queries: 5

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.

\n

Data Connectors: 5, Workbooks: 1, Analytic Rules: 53, Hunting Queries: 5

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -10017,6 +10163,11 @@ "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject52')._analyticRulecontentId52]", "version": "[variables('analyticRuleObject52').analyticRuleVersion52]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject53')._analyticRulecontentId53]", + "version": "[variables('analyticRuleObject53').analyticRuleVersion53]" } ] }, diff --git a/Solutions/Threat Intelligence/ReleaseNotes.md b/Solutions/Threat Intelligence/ReleaseNotes.md index 1eafd5311ea..87bc2358067 100644 --- a/Solutions/Threat Intelligence/ReleaseNotes.md +++ b/Solutions/Threat Intelligence/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.9 | 03-12-2024 | Creted **Analytical Rule** (IPEntity_Workday) and Modified **Analytical Rule** | | 3.0.8 | 28-11-2024 | Removed (Preview) from name for **Data Connectors** Microsoft Defender Threat Intelligence and Premium Microsoft Defender Threat Intelligence, make the MDTI and PMDTI data connctors available in gov solution, and update descriptions of data connectors. | | 3.0.7 | 24-10-2024 | Updated Columns of **Analytical Rules** | | 3.0.6 | 24-09-2024 | Updated Entity Mappings of **Analytical Rules** |