![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\")
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 2, **Parsers:** 4, **Workbooks:** 4, **Analytic Rules:** 2, **Watchlists:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 8, **Parsers:** 5, **Workbooks:** 4, **Analytic Rules:** 2, **Watchlists:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,57 +60,64 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs two (2) data connectors for ingesting Microsoft Exchange on-premises events to provide security insights. Each of these data connectors help ingest a different set of logs/events."
+ "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors2-text",
- "type": "Microsoft.Common.Section",
- "label": "1. Exchange Security Insights On-Premises Collector",
- "elements": [
- {
- "name": "dataconnectors3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This data connector collects security configuration, RBAC information and audit information from your on-premises Exchange environment(s). It uses a scheduled script that needs to be manually deployed in your environment. This connects directly (via proxy if needed) to Log Analytics/Microsoft Sentinel to ingest data."
+ "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
- }
- ]
},
{
"name": "dataconnectors4-text",
- "type": "Microsoft.Common.Section",
- "label": "2. Exchange Audit Event logs via Legacy Agent",
- "elements": [
- {
- "name": "dataconnectors5-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This data connector uses Log Analytics Agent or Azure Monitor Agent to collect MSExchange Management Eventlogs, Exchange Security logs, Domain Controllers Security logs, IIS Logs, Exchange logs. Not all logs are required but it depends on your needs and on what you want to collect and secure for hunting in case of compromise. The first important logs consumed by this solution are “MSExchange Management” Event logs."
- }
- }
- ]
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors5-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
},
{
"name": "dataconnectors6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "After installing the solution, configure and enable the data connector that’s most relevant to your Exchange environment by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors7-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
- "name": "dataconnectors-parser",
- "type": "Microsoft.Common.Section",
- "label": "Parsers",
- "elements": [
+ "name": "dataconnectors8-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The solution installs four (4) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, ExchangeAdminAuditLogs, MESCheckVIP and ExchangeEnvironmentList Kusto Function aliases."
+ "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
- }
- ]
},
{
"name": "dataconnectors-link2",
@@ -321,4 +328,4 @@
"workspace": "[basics('workspace')]"
}
}
-}
\ No newline at end of file
+}
diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json
index b2e9d5ed6cd..8161f1dc1f8 100644
--- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json
+++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json
@@ -81,7 +81,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Microsoft Exchange Security - Exchange On-Premises",
- "_solutionVersion": "3.1.5",
+ "_solutionVersion": "3.3.0",
"solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-exchangesecurityinsights",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "ESI-ExchangeAdminAuditLogEvents",
@@ -91,7 +91,7 @@
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "2.2.1",
+ "dataConnectorVersion1": "2.2.2",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"uiConfigId2": "ESI-ExchangeOnPremisesCollector",
"_uiConfigId2": "[variables('uiConfigId2')]",
@@ -100,8 +100,62 @@
"dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
"_dataConnectorId2": "[variables('dataConnectorId2')]",
"dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.2.1",
+ "dataConnectorVersion2": "1.2.2",
"_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
+ "uiConfigId3": "ESI-Opt1ExchangeAdminAuditLogsByEventLogs",
+ "_uiConfigId3": "[variables('uiConfigId3')]",
+ "dataConnectorContentId3": "ESI-Opt1ExchangeAdminAuditLogsByEventLogs",
+ "_dataConnectorContentId3": "[variables('dataConnectorContentId3')]",
+ "dataConnectorId3": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]",
+ "_dataConnectorId3": "[variables('dataConnectorId3')]",
+ "dataConnectorTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId3'))))]",
+ "dataConnectorVersion3": "1.0.0",
+ "_dataConnectorcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId3'),'-', variables('dataConnectorVersion3'))))]",
+ "uiConfigId4": "ESI-Opt2ExchangeServersEventLogs",
+ "_uiConfigId4": "[variables('uiConfigId4')]",
+ "dataConnectorContentId4": "ESI-Opt2ExchangeServersEventLogs",
+ "_dataConnectorContentId4": "[variables('dataConnectorContentId4')]",
+ "dataConnectorId4": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]",
+ "_dataConnectorId4": "[variables('dataConnectorId4')]",
+ "dataConnectorTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId4'))))]",
+ "dataConnectorVersion4": "1.0.0",
+ "_dataConnectorcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId4'),'-', variables('dataConnectorVersion4'))))]",
+ "uiConfigId5": "ESI-Opt34DomainControllersSecurityEventLogs",
+ "_uiConfigId5": "[variables('uiConfigId5')]",
+ "dataConnectorContentId5": "ESI-Opt34DomainControllersSecurityEventLogs",
+ "_dataConnectorContentId5": "[variables('dataConnectorContentId5')]",
+ "dataConnectorId5": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]",
+ "_dataConnectorId5": "[variables('dataConnectorId5')]",
+ "dataConnectorTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId5'))))]",
+ "dataConnectorVersion5": "1.0.0",
+ "_dataConnectorcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId5'),'-', variables('dataConnectorVersion5'))))]",
+ "uiConfigId6": "ESI-Opt5ExchangeIISLogs",
+ "_uiConfigId6": "[variables('uiConfigId6')]",
+ "dataConnectorContentId6": "ESI-Opt5ExchangeIISLogs",
+ "_dataConnectorContentId6": "[variables('dataConnectorContentId6')]",
+ "dataConnectorId6": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]",
+ "_dataConnectorId6": "[variables('dataConnectorId6')]",
+ "dataConnectorTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId6'))))]",
+ "dataConnectorVersion6": "1.0.0",
+ "_dataConnectorcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId6'),'-', variables('dataConnectorVersion6'))))]",
+ "uiConfigId7": "ESI-Opt6ExchangeMessageTrackingLogs",
+ "_uiConfigId7": "[variables('uiConfigId7')]",
+ "dataConnectorContentId7": "ESI-Opt6ExchangeMessageTrackingLogs",
+ "_dataConnectorContentId7": "[variables('dataConnectorContentId7')]",
+ "dataConnectorId7": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]",
+ "_dataConnectorId7": "[variables('dataConnectorId7')]",
+ "dataConnectorTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId7'))))]",
+ "dataConnectorVersion7": "1.0.0",
+ "_dataConnectorcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId7'),'-', variables('dataConnectorVersion7'))))]",
+ "uiConfigId8": "ESI-Opt7ExchangeHTTPProxyLogs",
+ "_uiConfigId8": "[variables('uiConfigId8')]",
+ "dataConnectorContentId8": "ESI-Opt7ExchangeHTTPProxyLogs",
+ "_dataConnectorContentId8": "[variables('dataConnectorContentId8')]",
+ "dataConnectorId8": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]",
+ "_dataConnectorId8": "[variables('dataConnectorId8')]",
+ "dataConnectorTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId8'))))]",
+ "dataConnectorVersion8": "1.0.0",
+ "_dataConnectorcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId8'),'-', variables('dataConnectorVersion8'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','ExchangeAdminAuditLogs Data Parser')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeAdminAuditLogs Data Parser')]",
@@ -130,6 +184,13 @@
"parserVersion4": "1.0.0",
"parserContentId4": "MESCheckVIP-Parser"
},
+ "parserObject5": {
+ "_parserName5": "[concat(parameters('workspace'),'/','MESCompareDataOnPMRA')]",
+ "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataOnPMRA')]",
+ "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCompareDataOnPMRA-Parser')))]",
+ "parserVersion5": "1.0.0",
+ "parserContentId5": "MESCompareDataOnPMRA-Parser"
+ },
"workbookVersion1": "1.0.1",
"workbookContentId1": "MicrosoftExchangeLeastPrivilegewithRBAC",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -149,7 +210,7 @@
"workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]",
"_workbookContentId3": "[variables('workbookContentId3')]",
"_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]",
- "workbookVersion4": "1.0.1",
+ "workbookVersion4": "2.0.0",
"workbookContentId4": "MicrosoftExchangeSecurityReview",
"workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]",
"workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]",
@@ -185,7 +246,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.1.5",
+ "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -201,9 +262,9 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "Microsoft Exchange Logs and Events",
+ "title": "[Deprecated] Microsoft Exchange Logs and Events",
"publisher": "Microsoft",
- "descriptionMarkdown": "You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
+ "descriptionMarkdown": "Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
"graphQueries": [
{
"metricName": "Total data received",
@@ -301,35 +362,14 @@
"customs": [
{
"description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
}
]
},
"instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
- "instructions": [
- {
- "parameters": {
- "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)",
- "instructionSteps": [
- {
- "title": "1. Download the Parser file",
- "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
- },
- {
- "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
- "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
- },
- {
- "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
- "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
{
"description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)"
},
@@ -409,7 +449,7 @@
"instructionSteps": [
{
"title": "A. Create DCR, Type Event log",
- "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
}
]
},
@@ -429,7 +469,7 @@
},
{
"title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used",
- "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.",
+ "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.",
"instructions": [
{
"parameters": {
@@ -890,15 +930,52 @@
}
],
"title": "2. Deploy log injestion following choosed options"
+ },
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+ "instructionSteps": [
+ {
+ "title": "Manual Parser Deployment",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "1. Download the Parser file",
+ "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+ },
+ {
+ "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+ "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+ },
+ {
+ "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+ "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
}
],
"metadata": {
"id": "5738bef7-b6c0-4fec-ba0b-ac728bef83a9",
- "version": "2.2.1",
+ "version": "2.2.2",
"kind": "dataConnector",
"source": {
"kind": "solution",
- "name": "ESI - Exchange Security Configuration Analyzer"
+ "name": "Microsoft Exchange Security - Exchange On-Premises"
},
"support": {
"name": "Community",
@@ -946,7 +1023,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
- "displayName": "Microsoft Exchange Logs and Events",
+ "displayName": "[Deprecated] Microsoft Exchange Logs and Events",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
@@ -989,9 +1066,9 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "Microsoft Exchange Logs and Events",
+ "title": "[Deprecated] Microsoft Exchange Logs and Events",
"publisher": "Microsoft",
- "descriptionMarkdown": "You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
+ "descriptionMarkdown": "Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
"graphQueries": [
{
"metricName": "Total data received",
@@ -1089,35 +1166,14 @@
"customs": [
{
"description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
}
]
},
"instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
- "instructions": [
- {
- "parameters": {
- "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)",
- "instructionSteps": [
- {
- "title": "1. Download the Parser file",
- "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
- },
- {
- "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
- "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
- },
- {
- "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
- "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
{
"description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)"
},
@@ -1197,7 +1253,7 @@
"instructionSteps": [
{
"title": "A. Create DCR, Type Event log",
- "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
}
]
},
@@ -1217,7 +1273,7 @@
},
{
"title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used",
- "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.",
+ "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.",
"instructions": [
{
"parameters": {
@@ -1678,6 +1734,43 @@
}
],
"title": "2. Deploy log injestion following choosed options"
+ },
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+ "instructionSteps": [
+ {
+ "title": "Manual Parser Deployment",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "1. Download the Parser file",
+ "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+ },
+ {
+ "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+ "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+ },
+ {
+ "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+ "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
}
],
"id": "[variables('_uiConfigId1')]"
@@ -1693,7 +1786,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.1.5",
+ "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@@ -1709,7 +1802,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId2')]",
- "title": "Exchange Security Insights On-Premise Collector",
+ "title": "Exchange Security Insights On-Premises Collector",
"publisher": "Microsoft",
"descriptionMarkdown": "Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis",
"graphQueries": [
@@ -1728,7 +1821,7 @@
"dataTypes": [
{
"name": "ESIExchangeConfig_CL",
- "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)"
+ "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time"
}
],
"connectivityCriterias": [
@@ -1770,40 +1863,14 @@
{
"name": "Service Account with Organization Management role",
"description": "The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information."
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
}
]
},
"instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)",
- "instructions": [
- {
- "parameters": {
- "title": "Parsers deployment",
- "instructionSteps": [
- {
- "title": "1. Download the Parser files",
- "description": "The latest version of the 2 files [**ExchangeConfiguration.yaml**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList.yaml**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)"
- },
- {
- "title": "2. Create Parser **ExchangeConfiguration** function",
- "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
- },
- {
- "title": "3. Save Parser **ExchangeConfiguration** function",
- "description": "Click on save button.\n Define the parameters as asked on the header of the parser file.\nClick save again."
- },
- {
- "title": "4. Reproduce the same steps for Parser **ExchangeEnvironmentList**",
- "description": "Reproduce the step 2 and 3 with the content of 'ExchangeEnvironmentList.yaml' file"
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**"
- },
{
"description": "This is the script that will collect Exchange Information to push content in Microsoft Sentinel.\n ",
"instructions": [
@@ -1861,11 +1928,48 @@
{
"description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management",
"title": "3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)"
+ },
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+ "instructionSteps": [
+ {
+ "title": "Manual Parser Deployment",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "1. Download the Parser file",
+ "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+ },
+ {
+ "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+ "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+ },
+ {
+ "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+ "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
}
],
"metadata": {
"id": "ed950fd7-e457-4a59-88f0-b9c949aa280d",
- "version": "1.2.1",
+ "version": "1.2.2",
"kind": "dataConnector",
"source": {
"kind": "solution",
@@ -1917,7 +2021,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId2')]",
"contentKind": "DataConnector",
- "displayName": "Exchange Security Insights On-Premise Collector",
+ "displayName": "Exchange Security Insights On-Premises Collector",
"contentProductId": "[variables('_dataConnectorcontentProductId2')]",
"id": "[variables('_dataConnectorcontentProductId2')]",
"version": "[variables('dataConnectorVersion2')]"
@@ -1960,7 +2064,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "Exchange Security Insights On-Premise Collector",
+ "title": "Exchange Security Insights On-Premises Collector",
"publisher": "Microsoft",
"descriptionMarkdown": "Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis",
"graphQueries": [
@@ -1973,7 +2077,7 @@
"dataTypes": [
{
"name": "ESIExchangeConfig_CL",
- "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)"
+ "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time"
}
],
"connectivityCriterias": [
@@ -2021,40 +2125,14 @@
{
"name": "Service Account with Organization Management role",
"description": "The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information."
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
}
]
},
"instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)",
- "instructions": [
- {
- "parameters": {
- "title": "Parsers deployment",
- "instructionSteps": [
- {
- "title": "1. Download the Parser files",
- "description": "The latest version of the 2 files [**ExchangeConfiguration.yaml**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList.yaml**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)"
- },
- {
- "title": "2. Create Parser **ExchangeConfiguration** function",
- "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
- },
- {
- "title": "3. Save Parser **ExchangeConfiguration** function",
- "description": "Click on save button.\n Define the parameters as asked on the header of the parser file.\nClick save again."
- },
- {
- "title": "4. Reproduce the same steps for Parser **ExchangeEnvironmentList**",
- "description": "Reproduce the step 2 and 3 with the content of 'ExchangeEnvironmentList.yaml' file"
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ],
- "title": "Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**"
- },
{
"description": "This is the script that will collect Exchange Information to push content in Microsoft Sentinel.\n ",
"instructions": [
@@ -2112,6 +2190,43 @@
{
"description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management",
"title": "3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)"
+ },
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+ "instructionSteps": [
+ {
+ "title": "Manual Parser Deployment",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "1. Download the Parser file",
+ "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+ },
+ {
+ "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+ "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+ },
+ {
+ "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+ "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
}
],
"id": "[variables('_uiConfigId2')]"
@@ -2121,76 +2236,2828 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('parserObject1').parserTemplateSpecName1]",
+ "name": "[variables('dataConnectorTemplateSpecName3')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ExchangeAdminAuditLogs Data Parser with template version 3.1.5",
+ "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserObject1').parserVersion1]",
+ "contentVersion": "[variables('dataConnectorVersion3')]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[variables('parserObject1')._parserName1]",
- "apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
"properties": {
- "eTag": "*",
- "displayName": "Parser for ExchangeAdminAuditLogs",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "ExchangeAdminAuditLogs",
- "query": "let CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n let fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\n let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.displayName | project TargetObject,SearchKey;\n let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n let SearchUserCanonicalName = T | join Watchlist on $left.TargetObject == $right.canonicalName | project TargetObject,SearchKey;\n let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n let SearchUserObjectSID = T | join Watchlist on $left.TargetObject == $right.objectSID | project TargetObject,SearchKey;\n let SearchUserObjectGUID = T | join (Watchlist | extend objectGuidString = tostring(objectGUID)) on $left.TargetObject == $right.objectGuidString | project TargetObject,SearchKey;\n let SearchUserDistinguishedName = T | join Watchlist on $left.TargetObject == $right.distinguishedName | project TargetObject,SearchKey;\n union isfuzzy=true withsource=TableName \n SearchUserDisplayName, \n SearchUserUPN, \n SearchUserCanonicalName, \n SearchUserSAMAccountName,\n SearchUserObjectSID,\n SearchUserObjectGUID,\n SearchUserDistinguishedName\n };\nlet Env = ExchangeConfiguration(SpecificSectionList=\"ESIEnvironment\")\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\n| project DomainFQDN_, ESIEnvironment;\nlet EventList = Event\n | where EventLog == 'MSExchange Management'\n | where EventID in (1,6) // 1 = Success, 6 = Failure\n | parse ParameterXml with '' CmdletName '' CmdletParameters '' Caller '' *\n | extend TargetObject = iif( CmdletParameters has \"-Identity \", split(split(CmdletParameters,'-Identity ')[1],'\"')[1], iif( CmdletParameters has \"-Name \", split(split(CmdletParameters,'-Name ')[1],'\"')[1], \"\"));\nlet MSExchange_Management = (){\nEventList\n | extend Status = case( EventID == 1, 'Success', 'Failure')\n | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n | extend IsVIP = iif(SearchKey == \"\", false, true)\n | join kind=leftouter ( \n MESCheckVIP() ) on SearchKey\n | extend CmdletNameJoin = tolower(CmdletName)\n | join kind=leftouter ( \n CmdletCheck\n | extend CmdletNameJoin = tolower(Cmdlet)\n ) on CmdletNameJoin\n | extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\n | join kind=leftouter ( \n Env\n ) on $left.DomainEnv == $right.DomainFQDN_\n | extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\"Unknown-\",DomainEnv))\n | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters),';'), dynamic(null))\n | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n | project TimeGenerated,Computer,Status,Caller,TargetObject,IsVIP,canonicalName,displayName,distinguishedName,objectGUID,objectSID,sAMAccountName,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented, ESIEnvironment\n};\nMSExchange_Management\n",
- "functionParameters": "",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": ""
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
- "dependsOn": [
- "[variables('parserObject1')._parserId1]"
- ],
- "properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeAdminAuditLogs Data Parser')]",
- "contentId": "[variables('parserObject1').parserContentId1]",
- "kind": "Parser",
- "version": "[variables('parserObject1').parserVersion1]",
- "source": {
- "name": "Microsoft Exchange Security - Exchange On-Premises",
- "kind": "Solution",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Community",
- "tier": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('parserObject1').parserContentId1]",
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId3')]",
+ "title": "Microsoft Exchange Admin Audit Logs by Event Logs",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "ExchangeAuditLogs",
+ "baseQuery": "Event | where EventLog == 'MSExchange Management'"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Audit logs",
+ "query": "Event | where EventLog == 'MSExchange Management' | sort by TimeGenerated"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Event",
+ "lastDataReceivedQuery": "Event | where EventLog == 'MSExchange Management' | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Event | where EventLog == 'MSExchange Management' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 1** of the wiki."
+ },
+ {
+ "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Deploy Monitor Agents",
+ "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+ },
+ {
+ "description": "The MS Exchange Admin Audit event logs are collected using Data Collection Rules (DCR) and allow to store all Administrative Cmdlets executed in an Exchange environment.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "DCR",
+ "instructionSteps": [
+ {
+ "title": "Data Collection Rules Deployment",
+ "description": "**Enable data collection rule**\n> Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered)",
+ "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+ },
+ {
+ "title": "Option 2 - Manual Deployment of Azure Automation",
+ "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCR, Type Event log",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Assign the DCR to all Exchange Servers",
+ "description": "Add all your Exchange Servers to the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "2. [Option 1] MS Exchange Management Log collection - MS Exchange Admin Audit event logs by Data Collection Rules"
+ },
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+ "instructionSteps": [
+ {
+ "title": "Manual Parser Deployment",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "1. Download the Parser file",
+ "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+ },
+ {
+ "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+ "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+ },
+ {
+ "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+ "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ],
+ "metadata": {
+ "id": "dfa2e270-b24f-4d76-b9a5-cd4a878596bf",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "source": {
+ "kind": "solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ },
+ "author": {
+ "name": "Microsoft"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]",
+ "contentId": "[variables('_dataConnectorContentId3')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion3')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId3')]",
+ "contentKind": "DataConnector",
+ "displayName": "Microsoft Exchange Admin Audit Logs by Event Logs",
+ "contentProductId": "[variables('_dataConnectorcontentProductId3')]",
+ "id": "[variables('_dataConnectorcontentProductId3')]",
+ "version": "[variables('dataConnectorVersion3')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId3')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]",
+ "contentId": "[variables('_dataConnectorContentId3')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion3')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "Microsoft Exchange Admin Audit Logs by Event Logs",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "ExchangeAuditLogs",
+ "baseQuery": "Event | where EventLog == 'MSExchange Management'"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Event",
+ "lastDataReceivedQuery": "Event | where EventLog == 'MSExchange Management' | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Event | where EventLog == 'MSExchange Management' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Audit logs",
+ "query": "Event | where EventLog == 'MSExchange Management' | sort by TimeGenerated"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 1** of the wiki."
+ },
+ {
+ "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Deploy Monitor Agents",
+ "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+ },
+ {
+ "description": "The MS Exchange Admin Audit event logs are collected using Data Collection Rules (DCR) and allow to store all Administrative Cmdlets executed in an Exchange environment.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "DCR",
+ "instructionSteps": [
+ {
+ "title": "Data Collection Rules Deployment",
+ "description": "**Enable data collection rule**\n> Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered)",
+ "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+ },
+ {
+ "title": "Option 2 - Manual Deployment of Azure Automation",
+ "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCR, Type Event log",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Assign the DCR to all Exchange Servers",
+ "description": "Add all your Exchange Servers to the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "2. [Option 1] MS Exchange Management Log collection - MS Exchange Admin Audit event logs by Data Collection Rules"
+ },
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
+ "instructionSteps": [
+ {
+ "title": "Manual Parser Deployment",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "1. Download the Parser file",
+ "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
+ },
+ {
+ "title": "2. Create Parser **ExchangeAdminAuditLogs** function",
+ "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
+ },
+ {
+ "title": "3. Save Parser **ExchangeAdminAuditLogs** function",
+ "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ],
+ "id": "[variables('_uiConfigId3')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName4')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion4')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId4')]",
+ "title": "Microsoft Exchange Logs and Events",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "[Option 2] - Using Azure Monitor Agent - You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Exchange Eventlogs",
+ "baseQuery": "Event | where EventLog == 'Application'"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Audit logs",
+ "query": "Event | where EventLog == 'Application' | sort by TimeGenerated"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Event",
+ "lastDataReceivedQuery": "Event | where EventLog == 'Application' | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Event | where EventLog == 'Application' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Azure Log Analytics will be deprecated",
+ "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 2** of the wiki."
+ },
+ {
+ "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Deploy Monitor Agents",
+ "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+ },
+ {
+ "description": "The Security/Application/System logs of Exchange Servers are collected using Data Collection Rules (DCR).",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "Security Event log collection",
+ "instructionSteps": [
+ {
+ "title": "Data Collection Rules - Security Event logs",
+ "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add Exchange Servers on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.",
+ "instructions": [
+ {
+ "parameters": {
+ "linkType": "OpenCreateDataCollectionRule",
+ "dataCollectionRuleType": 0
+ },
+ "type": "InstallAgent"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ },
+ {
+ "parameters": {
+ "title": "Application and System Event log collection",
+ "instructionSteps": [
+ {
+ "title": "Enable data collection rule",
+ "description": "> Application and System Events logs are collected only from **Windows** agents.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered method)",
+ "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCROption2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+ },
+ {
+ "title": "Option 2 - Manual Deployment of Azure Automation",
+ "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCR, Type Event log",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Basic' option.\n6. For Application, select 'Critical', 'Error' and 'Warning'. For System, select Critical/Error/Warning/Information. \n7. 'Make other preferable configuration changes', if needed, then click **Create**."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Assign the DCR to all Exchange Servers",
+ "description": "Add all your Exchange Servers to the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "2. [Option 2] Security/Application/System logs of Exchange Servers"
+ }
+ ],
+ "metadata": {
+ "id": "22e0234b-278d-40f4-8be8-c2968faeaf91",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "source": {
+ "kind": "solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ },
+ "author": {
+ "name": "Microsoft"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]",
+ "contentId": "[variables('_dataConnectorContentId4')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion4')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId4')]",
+ "contentKind": "DataConnector",
+ "displayName": "Microsoft Exchange Logs and Events",
+ "contentProductId": "[variables('_dataConnectorcontentProductId4')]",
+ "id": "[variables('_dataConnectorcontentProductId4')]",
+ "version": "[variables('dataConnectorVersion4')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId4')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]",
+ "contentId": "[variables('_dataConnectorContentId4')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion4')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "Microsoft Exchange Logs and Events",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "[Option 2] - Using Azure Monitor Agent - You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Exchange Eventlogs",
+ "baseQuery": "Event | where EventLog == 'Application'"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Event",
+ "lastDataReceivedQuery": "Event | where EventLog == 'Application' | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Event | where EventLog == 'Application' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Audit logs",
+ "query": "Event | where EventLog == 'Application' | sort by TimeGenerated"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Azure Log Analytics will be deprecated",
+ "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 2** of the wiki."
+ },
+ {
+ "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Deploy Monitor Agents",
+ "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+ },
+ {
+ "description": "The Security/Application/System logs of Exchange Servers are collected using Data Collection Rules (DCR).",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "Security Event log collection",
+ "instructionSteps": [
+ {
+ "title": "Data Collection Rules - Security Event logs",
+ "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add Exchange Servers on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.",
+ "instructions": [
+ {
+ "parameters": {
+ "linkType": "OpenCreateDataCollectionRule",
+ "dataCollectionRuleType": 0
+ },
+ "type": "InstallAgent"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ },
+ {
+ "parameters": {
+ "title": "Application and System Event log collection",
+ "instructionSteps": [
+ {
+ "title": "Enable data collection rule",
+ "description": "> Application and System Events logs are collected only from **Windows** agents.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered method)",
+ "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCROption2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+ },
+ {
+ "title": "Option 2 - Manual Deployment of Azure Automation",
+ "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCR, Type Event log",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Basic' option.\n6. For Application, select 'Critical', 'Error' and 'Warning'. For System, select Critical/Error/Warning/Information. \n7. 'Make other preferable configuration changes', if needed, then click **Create**."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Assign the DCR to all Exchange Servers",
+ "description": "Add all your Exchange Servers to the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "2. [Option 2] Security/Application/System logs of Exchange Servers"
+ }
+ ],
+ "id": "[variables('_uiConfigId4')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName5')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion5')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId5')]",
+ "title": " Microsoft Active-Directory Domain Controllers Security Event Logs",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "[Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Domain Controllers Security Logs",
+ "baseQuery": "SecurityEvent"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Audit logs",
+ "query": "SecurityEvent | sort by TimeGenerated"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "SecurityEvent",
+ "lastDataReceivedQuery": "SecurityEvent | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "SecurityEvent | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 3 and 4** of the wiki."
+ },
+ {
+ "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Deploy Monitor Agents",
+ "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+ },
+ {
+ "description": "Select how to stream Security logs of Domain Controllers. If you want to implement Option 3, you just need to select DC on same site as Exchange Servers. If you want to implement Option 4, you can select all DCs of your forest.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "[Option 3] List only Domain Controllers on the same site as Exchange Servers for next step",
+ "description": "**This limits the quantity of data injested but some incident can't be detected.**"
+ },
+ {
+ "title": "[Option 4] List all Domain Controllers of your Active-Directory Forest for next step",
+ "description": "**This allows collecting all security events**"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ },
+ {
+ "parameters": {
+ "title": "Security Event log collection",
+ "instructionSteps": [
+ {
+ "title": "Data Collection Rules - Security Event logs",
+ "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add chosen DCs on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.",
+ "instructions": [
+ {
+ "parameters": {
+ "linkType": "OpenCreateDataCollectionRule",
+ "dataCollectionRuleType": 0
+ },
+ "type": "InstallAgent"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "Security logs of Domain Controllers"
+ }
+ ],
+ "metadata": {
+ "id": "036e16af-5a27-465a-8662-b7ac385a8d45",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "source": {
+ "kind": "solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ },
+ "author": {
+ "name": "Microsoft"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]",
+ "contentId": "[variables('_dataConnectorContentId5')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion5')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId5')]",
+ "contentKind": "DataConnector",
+ "displayName": " Microsoft Active-Directory Domain Controllers Security Event Logs",
+ "contentProductId": "[variables('_dataConnectorcontentProductId5')]",
+ "id": "[variables('_dataConnectorcontentProductId5')]",
+ "version": "[variables('dataConnectorVersion5')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId5')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]",
+ "contentId": "[variables('_dataConnectorContentId5')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion5')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": " Microsoft Active-Directory Domain Controllers Security Event Logs",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "[Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Domain Controllers Security Logs",
+ "baseQuery": "SecurityEvent"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "SecurityEvent",
+ "lastDataReceivedQuery": "SecurityEvent | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "SecurityEvent | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Audit logs",
+ "query": "SecurityEvent | sort by TimeGenerated"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 3 and 4** of the wiki."
+ },
+ {
+ "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Deploy Monitor Agents",
+ "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+ },
+ {
+ "description": "Select how to stream Security logs of Domain Controllers. If you want to implement Option 3, you just need to select DC on same site as Exchange Servers. If you want to implement Option 4, you can select all DCs of your forest.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "[Option 3] List only Domain Controllers on the same site as Exchange Servers for next step",
+ "description": "**This limits the quantity of data injested but some incident can't be detected.**"
+ },
+ {
+ "title": "[Option 4] List all Domain Controllers of your Active-Directory Forest for next step",
+ "description": "**This allows collecting all security events**"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ },
+ {
+ "parameters": {
+ "title": "Security Event log collection",
+ "instructionSteps": [
+ {
+ "title": "Data Collection Rules - Security Event logs",
+ "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add chosen DCs on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.",
+ "instructions": [
+ {
+ "parameters": {
+ "linkType": "OpenCreateDataCollectionRule",
+ "dataCollectionRuleType": 0
+ },
+ "type": "InstallAgent"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "Security logs of Domain Controllers"
+ }
+ ],
+ "id": "[variables('_uiConfigId5')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName6')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion6')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId6'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId6')]",
+ "title": "IIS Logs of Microsoft Exchange Servers",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "[Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Exchange IIS logs",
+ "baseQuery": "W3CIISLog"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Audit logs",
+ "query": "W3CIISLog | sort by TimeGenerated"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "W3CIISLog",
+ "lastDataReceivedQuery": "W3CIISLog | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "W3CIISLog | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 5** of the wiki."
+ },
+ {
+ "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Deploy Monitor Agents",
+ "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+ },
+ {
+ "description": "Select how to stream IIS logs of Exchange Servers",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Enable data collection rule",
+ "description": "> IIS logs are collected only from **Windows** agents.",
+ "instructions": [
+ {
+ "type": "AdminAuditEvents"
+ },
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Option 1 - Azure Resource Manager (ARM) Template (Preferred Method)",
+ "description": "Use this method for automated deployment of the DCE and DCR.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCE (If not already created for Exchange Servers)",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy."
+ },
+ {
+ "title": "B. Deploy Data Connection Rule",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCROption5-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Option 2 - Manual Deployment of Azure Automation",
+ "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCE (If not already created for Exchange Servers)",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+ },
+ {
+ "title": "B. Create DCR, Type IIS log",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. Select the created DCE. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'IIS logs' (Do not enter a path if IIS Logs path is configured by default). Click on 'Add data source'\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Assign the DCR to all Exchange Servers",
+ "description": "Add all your Exchange Servers to the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "[Option 5] IIS logs of Exchange Servers"
+ }
+ ],
+ "metadata": {
+ "id": "4b1075ed-80f5-4930-bfe1-877e86b48dc1",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "source": {
+ "kind": "solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ },
+ "author": {
+ "name": "Microsoft"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId6'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]",
+ "contentId": "[variables('_dataConnectorContentId6')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion6')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId6')]",
+ "contentKind": "DataConnector",
+ "displayName": "IIS Logs of Microsoft Exchange Servers",
+ "contentProductId": "[variables('_dataConnectorcontentProductId6')]",
+ "id": "[variables('_dataConnectorcontentProductId6')]",
+ "version": "[variables('dataConnectorVersion6')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId6'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId6')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]",
+ "contentId": "[variables('_dataConnectorContentId6')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion6')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId6'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "IIS Logs of Microsoft Exchange Servers",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "[Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Exchange IIS logs",
+ "baseQuery": "W3CIISLog"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "W3CIISLog",
+ "lastDataReceivedQuery": "W3CIISLog | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "W3CIISLog | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Audit logs",
+ "query": "W3CIISLog | sort by TimeGenerated"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 5** of the wiki."
+ },
+ {
+ "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Deploy Monitor Agents",
+ "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+ },
+ {
+ "description": "Select how to stream IIS logs of Exchange Servers",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Enable data collection rule",
+ "description": "> IIS logs are collected only from **Windows** agents.",
+ "instructions": [
+ {
+ "type": "AdminAuditEvents"
+ },
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Option 1 - Azure Resource Manager (ARM) Template (Preferred Method)",
+ "description": "Use this method for automated deployment of the DCE and DCR.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCE (If not already created for Exchange Servers)",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy."
+ },
+ {
+ "title": "B. Deploy Data Connection Rule",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCROption5-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Option 2 - Manual Deployment of Azure Automation",
+ "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCE (If not already created for Exchange Servers)",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+ },
+ {
+ "title": "B. Create DCR, Type IIS log",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. Select the created DCE. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'IIS logs' (Do not enter a path if IIS Logs path is configured by default). Click on 'Add data source'\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Assign the DCR to all Exchange Servers",
+ "description": "Add all your Exchange Servers to the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "[Option 5] IIS logs of Exchange Servers"
+ }
+ ],
+ "id": "[variables('_uiConfigId6')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName7')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion7')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId7'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId7')]",
+ "title": "Microsoft Exchange Message Tracking Logs",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "[Option 6] - Using Azure Monitor Agent - You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the [Microsoft Exchange Security wiki](https://aka.ms/ESI_DataConnectorOptions).",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Exchange Message Tracking logs",
+ "baseQuery": "MessageTrackingLog_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Exchange Message Tracking logs",
+ "query": "MessageTrackingLog_CL | sort by TimeGenerated"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "MessageTrackingLog_CL",
+ "lastDataReceivedQuery": "MessageTrackingLog_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "MessageTrackingLog_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Azure Log Analytics will be deprecated",
+ "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 6** of the wiki."
+ },
+ {
+ "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Deploy Monitor Agents",
+ "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+ },
+ {
+ "description": "Select how to stream Message Tracking of Exchange Servers",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Data Collection Rules - When Azure Monitor Agent is used",
+ "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Option 1 - Azure Resource Manager (ARM) Template",
+ "description": "Use this method for automated deployment of the DCE and DCR.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCE (If not already created for Exchange Servers)",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy."
+ },
+ {
+ "title": "B. Deploy Data Connection Rule and Custom Table",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCROption6-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Option 2 - Manual Deployment of Azure Automation",
+ "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Create Custom Table - Explanation",
+ "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)."
+ },
+ {
+ "title": "Create Custom Table using an ARM Template",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-MessageTrackingCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy."
+ },
+ {
+ "title": "Create Custom Table using PowerShell in Cloud Shell",
+ "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t\"schema\": {\n\t\t\t\t\t \"name\": \"MessageTrackingLog_CL\",\n\t\t\t\t\t \"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"directionality\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"reference\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"source\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientIP\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"connectorId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"customData\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"eventId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"internalMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"logId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageSubject\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"networkMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalClientIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalServerIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientCount\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"relatedRecipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"returnPath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"serverIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"sourceContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"schemaVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageTrackingTenantId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"totalBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"transportTrafficType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t'@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/MessageTrackingLog_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ },
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCE (If not already created for Exchange Servers)",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+ },
+ {
+ "title": "B. Create a DCR, Type Custom log",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option6-MessageTrackingLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData\n and click on 'Destination'.\n6. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n7. Click on 'Add data source'.\n8. Fill other required parameters and tags and create the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Assign the DCR to all Exchange Servers",
+ "description": "Add all your Exchange Servers to the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "2. Message Tracking of Exchange Servers"
+ }
+ ],
+ "metadata": {
+ "id": "ababbb06-b977-4259-ab76-87874d353039",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "source": {
+ "kind": "solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ },
+ "author": {
+ "name": "Microsoft"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId7'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]",
+ "contentId": "[variables('_dataConnectorContentId7')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion7')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId7')]",
+ "contentKind": "DataConnector",
+ "displayName": "Microsoft Exchange Message Tracking Logs",
+ "contentProductId": "[variables('_dataConnectorcontentProductId7')]",
+ "id": "[variables('_dataConnectorcontentProductId7')]",
+ "version": "[variables('dataConnectorVersion7')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId7'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId7')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]",
+ "contentId": "[variables('_dataConnectorContentId7')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion7')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId7'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "Microsoft Exchange Message Tracking Logs",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "[Option 6] - Using Azure Monitor Agent - You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the [Microsoft Exchange Security wiki](https://aka.ms/ESI_DataConnectorOptions).",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Exchange Message Tracking logs",
+ "baseQuery": "MessageTrackingLog_CL"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "MessageTrackingLog_CL",
+ "lastDataReceivedQuery": "MessageTrackingLog_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "MessageTrackingLog_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Exchange Message Tracking logs",
+ "query": "MessageTrackingLog_CL | sort by TimeGenerated"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Azure Log Analytics will be deprecated",
+ "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 6** of the wiki."
+ },
+ {
+ "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Deploy Monitor Agents",
+ "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+ },
+ {
+ "description": "Select how to stream Message Tracking of Exchange Servers",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Data Collection Rules - When Azure Monitor Agent is used",
+ "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Option 1 - Azure Resource Manager (ARM) Template",
+ "description": "Use this method for automated deployment of the DCE and DCR.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCE (If not already created for Exchange Servers)",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy."
+ },
+ {
+ "title": "B. Deploy Data Connection Rule and Custom Table",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCROption6-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Option 2 - Manual Deployment of Azure Automation",
+ "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Create Custom Table - Explanation",
+ "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)."
+ },
+ {
+ "title": "Create Custom Table using an ARM Template",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-MessageTrackingCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy."
+ },
+ {
+ "title": "Create Custom Table using PowerShell in Cloud Shell",
+ "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t\"schema\": {\n\t\t\t\t\t \"name\": \"MessageTrackingLog_CL\",\n\t\t\t\t\t \"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"directionality\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"reference\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"source\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientIP\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"connectorId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"customData\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"eventId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"internalMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"logId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageSubject\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"networkMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalClientIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalServerIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientCount\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"relatedRecipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"returnPath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"serverIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"sourceContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"schemaVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageTrackingTenantId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"totalBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"transportTrafficType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t'@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/MessageTrackingLog_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ },
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCE (If not already created for Exchange Servers)",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+ },
+ {
+ "title": "B. Create a DCR, Type Custom log",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option6-MessageTrackingLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData\n and click on 'Destination'.\n6. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n7. Click on 'Add data source'.\n8. Fill other required parameters and tags and create the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Assign the DCR to all Exchange Servers",
+ "description": "Add all your Exchange Servers to the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "2. Message Tracking of Exchange Servers"
+ }
+ ],
+ "id": "[variables('_uiConfigId7')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName8')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion8')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId8'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId8')]",
+ "title": "Microsoft Exchange HTTP Proxy Logs",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "[Option 7] - Using Azure Monitor Agent - You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. [Learn more](https://aka.ms/ESI_DataConnectorOptions)",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Exchange HTTPProxy logs",
+ "baseQuery": "ExchangeHttpProxy_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Audit logs",
+ "query": "ExchangeHttpProxy_CL | sort by TimeGenerated"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "ExchangeHttpProxy_CL",
+ "lastDataReceivedQuery": "ExchangeHttpProxy_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "ExchangeHttpProxy_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Azure Log Analytics will be deprecated",
+ "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 7** of the wiki."
+ },
+ {
+ "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Deploy Monitor Agents",
+ "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+ },
+ {
+ "description": "Select how to stream HTTP Proxy of Exchange Servers",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Data Collection Rules - When Azure Monitor Agent is used",
+ "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered Method)",
+ "description": "Use this method for automated deployment of the DCE and DCR.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCE (If not already created for Exchange Servers)",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy."
+ },
+ {
+ "title": "B. Deploy Data Connection Rule",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCROption7-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Option 2 - Manual Deployment of Azure Automation",
+ "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Create Custom Table - Explanation",
+ "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)."
+ },
+ {
+ "title": "Create Custom Table using an ARM Template",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-HTTPProxyCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy."
+ },
+ {
+ "title": "Create Custom Table using PowerShell in Cloud Shell",
+ "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t \"schema\": {\n\t\t\t\t\t\t\"name\": \"ExchangeHttpProxy_CL\",\n\t\t\t\t\t\t\"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AccountForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ActivityContextLifeTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ADLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AnchorMailbox\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticatedUser\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticationType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthModulePerfContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndCookie\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndGenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendProcessingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BuildVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CalculateTargetBackEndLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientIpAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CoreLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"DatabaseGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"EdgeTraceId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ErrorCode\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericErrors\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GlsLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerCompletionLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerToModuleSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpPipelineLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpProxyOverhead\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"IsAuthenticated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"KerberosAuthHeaderLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MajorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Method\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MinorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ModuleToHandlerSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Organization\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"PartitionEndpointLookupLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Protocol\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProtocolAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestHandlerLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResourceForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResponseBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RevisionVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RouteRefresherLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingHint\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerHostName\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"SharedCacheLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetOutstandingRequests\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServer\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServerVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalAccountForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalGlsLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalRequestTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalResourceForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalSharedCacheLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlQuery\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlStem\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserADObjectGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserAgent\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t }\n\t\t\t }\n\t\t }\n\t\t '@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/ExchangeHttpProxy_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ },
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCE (If not already created for Exchange Servers)",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+ },
+ {
+ "title": "B. Create a DCR, Type Custom log",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option7-HTTPProxyLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter the following file pattern : \n\t\t'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log'\n6. Put 'ExchangeHttpProxy_CL' in Table Name.\n7. in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime | project-away d,RawData,DateTime | project-away d,RawData,DateTime\n and click on 'Destination'.\n8. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n9. Click on 'Add data source'.\n10. Fill other required parameters and tags and create the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Assign the DCR to all Exchange Servers",
+ "description": "Add all your Exchange Servers to the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "2. [Option 7] HTTP Proxy of Exchange Servers"
+ }
+ ],
+ "metadata": {
+ "id": "2e63ad0e-84e3-4f01-b210-9db0bc42b8ff",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "source": {
+ "kind": "solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ },
+ "author": {
+ "name": "Microsoft"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId8'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]",
+ "contentId": "[variables('_dataConnectorContentId8')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion8')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId8')]",
+ "contentKind": "DataConnector",
+ "displayName": "Microsoft Exchange HTTP Proxy Logs",
+ "contentProductId": "[variables('_dataConnectorcontentProductId8')]",
+ "id": "[variables('_dataConnectorcontentProductId8')]",
+ "version": "[variables('dataConnectorVersion8')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId8'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId8')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]",
+ "contentId": "[variables('_dataConnectorContentId8')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion8')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId8'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "Microsoft Exchange HTTP Proxy Logs",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "[Option 7] - Using Azure Monitor Agent - You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. [Learn more](https://aka.ms/ESI_DataConnectorOptions)",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Exchange HTTPProxy logs",
+ "baseQuery": "ExchangeHttpProxy_CL"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "ExchangeHttpProxy_CL",
+ "lastDataReceivedQuery": "ExchangeHttpProxy_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "ExchangeHttpProxy_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "All Audit logs",
+ "query": "ExchangeHttpProxy_CL | sort by TimeGenerated"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Azure Log Analytics will be deprecated",
+ "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "name": "Detailled documentation",
+ "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 7** of the wiki."
+ },
+ {
+ "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Deploy Monitor Agents",
+ "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel"
+ },
+ {
+ "description": "Select how to stream HTTP Proxy of Exchange Servers",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Data Collection Rules - When Azure Monitor Agent is used",
+ "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered Method)",
+ "description": "Use this method for automated deployment of the DCE and DCR.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCE (If not already created for Exchange Servers)",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy."
+ },
+ {
+ "title": "B. Deploy Data Connection Rule",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-DCROption7-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Option 2 - Manual Deployment of Azure Automation",
+ "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.",
+ "instructions": [
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "Create Custom Table - Explanation",
+ "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)."
+ },
+ {
+ "title": "Create Custom Table using an ARM Template",
+ "description": "1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-ESI-HTTPProxyCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy."
+ },
+ {
+ "title": "Create Custom Table using PowerShell in Cloud Shell",
+ "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t \"schema\": {\n\t\t\t\t\t\t\"name\": \"ExchangeHttpProxy_CL\",\n\t\t\t\t\t\t\"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AccountForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ActivityContextLifeTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ADLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AnchorMailbox\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticatedUser\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticationType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthModulePerfContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndCookie\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndGenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendProcessingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BuildVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CalculateTargetBackEndLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientIpAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CoreLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"DatabaseGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"EdgeTraceId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ErrorCode\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericErrors\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GlsLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerCompletionLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerToModuleSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpPipelineLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpProxyOverhead\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"IsAuthenticated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"KerberosAuthHeaderLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MajorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Method\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MinorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ModuleToHandlerSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Organization\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"PartitionEndpointLookupLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Protocol\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProtocolAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestHandlerLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResourceForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResponseBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RevisionVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RouteRefresherLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingHint\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerHostName\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"SharedCacheLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetOutstandingRequests\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServer\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServerVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalAccountForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalGlsLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalRequestTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalResourceForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalSharedCacheLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlQuery\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlStem\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserADObjectGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserAgent\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t }\n\t\t\t }\n\t\t }\n\t\t '@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/ExchangeHttpProxy_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ },
+ {
+ "parameters": {
+ "instructionSteps": [
+ {
+ "title": "A. Create DCE (If not already created for Exchange Servers)",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**."
+ },
+ {
+ "title": "B. Create a DCR, Type Custom log",
+ "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option7-HTTPProxyLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter the following file pattern : \n\t\t'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log'\n6. Put 'ExchangeHttpProxy_CL' in Table Name.\n7. in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime | project-away d,RawData,DateTime | project-away d,RawData,DateTime\n and click on 'Destination'.\n8. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n9. Click on 'Add data source'.\n10. Fill other required parameters and tags and create the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "title": "Assign the DCR to all Exchange Servers",
+ "description": "Add all your Exchange Servers to the DCR"
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "2. [Option 7] HTTP Proxy of Exchange Servers"
+ }
+ ],
+ "id": "[variables('_uiConfigId8')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('parserObject1').parserTemplateSpecName1]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "ExchangeAdminAuditLogs Data Parser with template version 3.3.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('parserObject1').parserVersion1]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[variables('parserObject1')._parserName1]",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Parser for ExchangeAdminAuditLogs",
+ "category": "Microsoft Sentinel Parser",
+ "functionAlias": "ExchangeAdminAuditLogs",
+ "query": "let CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n let fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\n let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.displayName | project TargetObject,SearchKey;\n let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n let SearchUserCanonicalName = T | join Watchlist on $left.TargetObject == $right.canonicalName | project TargetObject,SearchKey;\n let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n let SearchUserObjectSID = T | join Watchlist on $left.TargetObject == $right.objectSID | project TargetObject,SearchKey;\n let SearchUserObjectGUID = T | join (Watchlist | extend objectGuidString = tostring(objectGUID)) on $left.TargetObject == $right.objectGuidString | project TargetObject,SearchKey;\n let SearchUserDistinguishedName = T | join Watchlist on $left.TargetObject == $right.distinguishedName | project TargetObject,SearchKey;\n union isfuzzy=true withsource=TableName \n SearchUserDisplayName, \n SearchUserUPN, \n SearchUserCanonicalName, \n SearchUserSAMAccountName,\n SearchUserObjectSID,\n SearchUserObjectGUID,\n SearchUserDistinguishedName\n };\nlet Env = ExchangeConfiguration(SpecificSectionList=\"ESIEnvironment\")\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\n| project DomainFQDN_, ESIEnvironment;\nlet EventList = Event\n | where EventLog == 'MSExchange Management'\n | where EventID in (1,6) // 1 = Success, 6 = Failure\n | parse ParameterXml with '' CmdletName '' CmdletParameters '' Caller '' *\n | extend TargetObject = iif( CmdletParameters has \"-Identity \", split(split(CmdletParameters,'-Identity ')[1],'\"')[1], iif( CmdletParameters has \"-Name \", split(split(CmdletParameters,'-Name ')[1],'\"')[1], \"\"));\nlet MSExchange_Management = (){\nEventList\n | extend Status = case( EventID == 1, 'Success', 'Failure')\n | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n | extend IsVIP = iif(SearchKey == \"\", false, true)\n | join kind=leftouter ( \n MESCheckVIP() ) on SearchKey\n | extend CmdletNameJoin = tolower(CmdletName)\n | join kind=leftouter ( \n CmdletCheck\n | extend CmdletNameJoin = tolower(Cmdlet)\n ) on CmdletNameJoin\n | extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\n | join kind=leftouter ( \n Env\n ) on $left.DomainEnv == $right.DomainFQDN_\n | extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\"Unknown-\",DomainEnv))\n | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters),';'), dynamic(null))\n | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n | project TimeGenerated,Computer,Status,Caller,TargetObject,IsVIP,canonicalName,displayName,distinguishedName,objectGUID,objectSID,sAMAccountName,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented, ESIEnvironment\n};\nMSExchange_Management\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
+ "dependsOn": [
+ "[variables('parserObject1')._parserId1]"
+ ],
+ "properties": {
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeAdminAuditLogs Data Parser')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
+ "kind": "Parser",
+ "version": "[variables('parserObject1').parserVersion1]",
+ "source": {
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "kind": "Solution",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "Parser for ExchangeAdminAuditLogs",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.3.0')))]",
@@ -2257,7 +5124,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ExchangeConfiguration Data Parser with template version 3.1.5",
+ "description": "ExchangeConfiguration Data Parser with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -2387,7 +5254,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ExchangeEnvironmentList Data Parser with template version 3.1.5",
+ "description": "ExchangeEnvironmentList Data Parser with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject3').parserVersion3]",
@@ -2517,7 +5384,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MESCheckVIP Data Parser with template version 3.1.5",
+ "description": "MESCheckVIP Data Parser with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject4').parserVersion4]",
@@ -2638,6 +5505,136 @@
}
}
},
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('parserObject5').parserTemplateSpecName5]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MESCompareDataOnPMRA Data Parser with template version 3.3.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('parserObject5').parserVersion5]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[variables('parserObject5')._parserName5]",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Parser for MRA Configuration Data Comparison On-Premises",
+ "category": "Microsoft Sentinel Parser",
+ "functionAlias": "MESCompareDataOnPMRA",
+ "query": "// Version: 1.0.0\n// Last Updated: 30/08/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n//| extend WhenChanged = case(Actiontype == \"Modif\" , tostring(bin(WhenChanged,1m)), Actiontype == \"Add\",tostring(bin(WhenChanged,1m)),Actiontype == \"Remove\",\"NoInformation\",\"N/A\")\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope, \n RecipientWriteScope, \n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n",
+ "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]",
+ "dependsOn": [
+ "[variables('parserObject5')._parserId5]"
+ ],
+ "properties": {
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataOnPMRA')]",
+ "contentId": "[variables('parserObject5').parserContentId5]",
+ "kind": "Parser",
+ "version": "[variables('parserObject5').parserVersion5]",
+ "source": {
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "kind": "Solution",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('parserObject5').parserContentId5]",
+ "contentKind": "Parser",
+ "displayName": "Parser for MRA Configuration Data Comparison On-Premises",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]",
+ "version": "[variables('parserObject5').parserVersion5]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "[variables('parserObject5')._parserName5]",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Parser for MRA Configuration Data Comparison On-Premises",
+ "category": "Microsoft Sentinel Parser",
+ "functionAlias": "MESCompareDataOnPMRA",
+ "query": "// Version: 1.0.0\n// Last Updated: 30/08/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n//| extend WhenChanged = case(Actiontype == \"Modif\" , tostring(bin(WhenChanged,1m)), Actiontype == \"Add\",tostring(bin(WhenChanged,1m)),Actiontype == \"Remove\",\"NoInformation\",\"N/A\")\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope, \n RecipientWriteScope, \n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n",
+ "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]",
+ "dependsOn": [
+ "[variables('parserObject5')._parserId5]"
+ ],
+ "properties": {
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataOnPMRA')]",
+ "contentId": "[variables('parserObject5').parserContentId5]",
+ "kind": "Parser",
+ "version": "[variables('parserObject5').parserVersion5]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Exchange Security - Exchange On-Premises",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Community",
+ "tier": "Community",
+ "link": "https://github.com/Azure/Azure-Sentinel/issues"
+ }
+ }
+ },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -2647,7 +5644,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Exchange Least Privilege with RBAC Workbook with template version 3.1.5",
+ "description": "Microsoft Exchange Least Privilege with RBAC Workbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -2738,7 +5735,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Exchange Search AdminAuditLog Workbook with template version 3.1.5",
+ "description": "Microsoft Exchange Search AdminAuditLog Workbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -2829,7 +5826,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Exchange Admin Activity Workbook with template version 3.1.5",
+ "description": "Microsoft Exchange Admin Activity Workbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion3')]",
@@ -2920,7 +5917,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Exchange Security Review Workbook with template version 3.1.5",
+ "description": "Microsoft Exchange Security Review Workbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion4')]",
@@ -2938,7 +5935,7 @@
},
"properties": {
"displayName": "[parameters('workbook4-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"On-Premises\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nSelect your Exchange Organization and adjust the time range.\\r\\nBy default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \\\"Show Help\\\"\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange & AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"30dc6820-339d-4fa9-ad79-5d79816a5cab\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Local Administrators\",\"subTarget\":\"Server\",\"style\":\"link\"},{\"id\":\"571fa2a4-1f1e-44a2-ada0-ccfb31b9abbb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange Security Configuration\",\"subTarget\":\"SecConf\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Summary\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange On-Premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Security Configuration for the Exchange environment\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays several security information regarding the organization or server's configuration.\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"This section display the Exchange version and the CU installed.\\r\\n\\r\\nFor the latest build number, check this link : Exchange Build Numbers\\r\\n\\r\\nThis section is built from a file located in the public github repository.\\r\\nThe repository is manually updated by the team project when new CU/SU are released.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ServerVersionCheckHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\n//ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend Server = tostring(ProcessedByServer_s)\\r\\n| extend CmdletResultType = tostring(CmdletResultType)\\r\\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| distinct Server,VersionNumber,Productname,CU,SU,CmdletResultType\\r\\n| extend Server = strcat(\\\"💻 \\\",Server)\\r\\n| extend Productname = case ( VersionNumber startswith \\\"15.02\\\", \\\"Exchange 2019\\\", VersionNumber startswith \\\"15.01\\\", \\\"Exchange 2016\\\", VersionNumber startswith \\\"15.00\\\",\\\"Exchange 2013\\\", \\\"Exchange 2010\\\")\\r\\n| extend CU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff(CU <> \\\"\\\", CU, \\\"New CU or SU not yet in the List\\\"))\\r\\n| extend SU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff( SU <> \\\"\\\", SU, \\\"New CU or SU not yet in the List\\\"))\\r\\n|project-away CmdletResultType\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange servers CU-SU level\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersList\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend Server = tostring(CmdletResultValue.Server)\\r\\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| extend CU = iff( CU <> \\\"\\\", CU, \\\"New CU/SU not yet in the CU List\\\")\\r\\n| extend Version =strcat (VersionNumber,\\\"-\\\",CU,\\\"-\\\",SU)\\r\\n| summarize dcount(Server) by Version\",\"size\":0,\"showAnalytics\":true,\"title\":\"Version break down\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"ExchangeServerVersionPie\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Admin Audit Log configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The Admin Audit log stores all the actions performed on Exchange Servers (except read actions such as Get/Test).\\r\\n\\r\\nAdmin Audit Log \\r\\n\\r\\nManage Admin Audit Log \\r\\n\\r\\n\\r\\nThis can be used to track \\r\\n- Unexpected behaviors\\r\\n- Who did a modification\\r\\n- Real actions performed by an account (the output could be used with to identify the necessary privileges)\\r\\n\\r\\nℹ️ Recommendations\\r\\n- Ensure that Admin Audit Log is not disabled\\r\\n- Ensure that critical Cmdlets have not been excluded\\r\\n- Ensure that AdminAuditLogCmdlets is set to * (list of audited Cmdlets)\\r\\n- Review the retention configuration for the Admin Audit Log content\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AdminAuditHelp\"},{\"type\":1,\"content\":{\"json\":\"Here the main settings for the Admin Audit Log. Remember that AdminAudit log need to be enabled and no cmdlet should be excluded. Also check the retention limit.\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\\r\\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\\r\\n| project AdminAuditLogExcludedCmdlets);\\r\\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend AdminAuditLogEnabled = iff(CmdletResultValue.AdminAuditLogEnabled == \\\"FALSE\\\", \\\" ❌ Disabled, High Risk\\\", \\\"✅ Enabled\\\")\\r\\n| extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\\r\\n| extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit,8)\\r\\n| extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit,0,indexof(AdminAuditLogAgeLimit, ','))\\r\\n| extend AdminAuditLogAgeLimit = iff(toint(AdminAuditLogAgeLimit) == 0,strcat(\\\"❌ No AdminAuditlog recorded \\\",AdminAuditLogAgeLimit), iff(toint(AdminAuditLogAgeLimit) <=30,strcat(\\\"⚠️ Value to low except if exported \\\",AdminAuditLogAgeLimit), strcat(\\\"✅\\\",AdminAuditLogAgeLimit)))\\r\\n| extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,2)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,0,indexof(AdminAuditLogCmdlets, '\\\"]') )\\r\\n| extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets,'\\\"',\\\"\\\")\\r\\n| extend Comment_AdminAuditLogCmdlets = iff( AdminAuditLogCmdlets == \\\"*\\\",\\\"✅ Default configuration\\\",\\\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,2)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,0,indexof(AdminAuditLogExcludedCmdlets, ']'))\\r\\n| extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend Cmdlet = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend AALECSplit = tostring(split(AdminAuditLogExcludedCmdlets,\\\",\\\"))\\r\\n| project-away CmdletResultValue\\r\\n| extend Comment_AdminAuditLogExcludedCmdlet = case( isnotempty( SentsitivecmdletTrack ),\\\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\\\",AdminAuditLogExcludedCmdlets <>\\\"\\\",\\\"⚠️ Some Cmdlets are excluded \\\",\\\"✅ No Excluded CmdLet\\\")\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Comment_AdminAuditLogCmdlets\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 0Admin Audit Log configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\"},\"name\":\"POP authentication configuration\"},{\"type\":1,\"content\":{\"json\":\"### POP authentication configuration\"},\"name\":\"text - 11\"},{\"type\":1,\"content\":{\"json\":\"If the POP Service is started, the LoginType should not set to Plaintext. This means that the password will be sent in clear on the network. As POP is enabled by default on all the mailboxes, this represents a high security risk.\\r\\n\\r\\nPOP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110. Usernames and passwords are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 110. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 110 must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations\\r\\nDisable POP on all mailboxes except those who need to actually use this protocol.\\r\\nSet the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that POP is disabled on all the mailboxes except those who really need it \\r\\n- Monitor the POP connections\\r\\n- Change the password of the application on a regular basis\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\nConfiguring Authentication for POP3 and IMAP4\\r\\n \\r\\n Set-PopSettings\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using POP\\r\\n- Enable POP logging\\r\\n- Set-PopSettings -Server SRV1 -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location : - Get-PopSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"PopServiceHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangePop3\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangePop3BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status = tostring(Status)\\r\\n| extend BackendEndService= tostring(ServiceName1)\\r\\n| extend StartupType = tostring(StartupType)\\r\\n| extend BEStatus = tostring(Status1)\\r\\n| extend BEStartupType = tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Pop Authentication : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"PopSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"### IMAP authentication configuration\"},\"name\":\"IMAPTitle\"},{\"type\":1,\"content\":{\"json\":\"If the IMAP Service is started, the LoginType should not set to Plaintext. This means that the passwords will be sent in clear over the network. As IMAP is enabled by default on all the mailboxes, this is a high security risk.\\r\\n\\r\\nIMAP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110. User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 143 must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations \\r\\nDisable IMAP on all mailboxes except those which needs to use this protocol. Set the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application accordingly.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that IMAP is disable on all the mailboxes except those who really need it \\r\\n- Monitor the connection\\r\\n- Regularly, change the password of the application\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\nConfiguring Authentication for POP3 and IMAP4\\r\\n\\r\\n Set-IMAPSettings\\r\\n\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using IMAP\\r\\n- Enable IMAP logging\\r\\n- Set-IMAPSettings -Server SRV1 -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location : Get-IMAPSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"IMAPHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status = tostring(Status)\\r\\n| extend BackendEndService= tostring(ServiceName1)\\r\\n| extend StartupType = tostring(StartupType)\\r\\n| extend BEStatus = tostring(Status1)\\r\\n| extend BEStartupType = tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"IMAP Authentication : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"IMAPSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Nonstandard permissions on Configuration Partitions\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section highlights nonstandard permissions on Configuration Partition for Exchange container. By selecting Yes for Generic All buttom only delegation set for Generic All will be display. Standard, Deny and inherited permissions have been removed\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"During the lifetime of an Exchange Organization, many permissions may have been set on Exchange containers in the Configuration Partition.\\r\\nThis section displayed all the nonstandard permissions found on the most important Exchange containers :\\r\\n - Groups from legacy Exchange versions (Exchange Enterprise Servers, Exchange Domain Servers,...)\\r\\n - SID for deleted accounts\\r\\n - Old service accounts (that may not have been disabled or removed...)\\r\\n \\r\\nWhen an administrator run setup /prepareAD, his account will be granted Generic All at the top-level Exchange container\\r\\n\\r\\nBy default, this section only displayed the Generic All permissions.\\r\\n \\r\\nThis section is built by removing all the standard AD and Exchange groups.\\r\\n\\r\\n Exchange 2013 deployment permissions reference\\r\\n \\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"80f9134a-420f-47c9-b171-1ca8e72efa3e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GenericAll\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"29e2005c-3bd4-4bb8-be63-053d11abe1d4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NonStandardPermissions\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Authenticated Users\\\", \\\"Domain Admins\\\", \\\"Enterprise Admins\\\",\\\"Schema Admins\\\", \\\"Exchange Trusted Subsystem\\\", \\\"Exchange Servers\\\",\\\"Organization Management\\\", \\\"Public Folder Management\\\",\\\"Delegated Setup\\\", \\\"ANONYMOUS LOGON\\\", \\\"NETWORK SERVICE\\\", \\\"SYSTEM\\\", \\\"Everyone\\\",\\\"Managed Availability Servers\\\"]);\\r\\nlet Exchsrv =ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| summarize make_list(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n| where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in ({GenericAll})\\r\\n| where not (CmdletResultValue.UserString has_any (StandardGroup)) in ({NonStandardPermissions})\\r\\n| where not (CmdletResultValue.UserString has_any (Exchsrv))in ({NonStandardPermissions})\\r\\n| extend Name = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend Account = tostring(CmdletResultValue.UserString )\\r\\n| extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n| extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n| extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\\r\\n| extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n| project-away CmdletResultValue\\r\\n| sort by DN desc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"AccessRights\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"AccessRights\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Nonstandard permissions on Configuration Partitions\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"SecConf\"},\"name\":\"Security Configuration for the Exchange environment\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays important security configurations that allow access to all or partial mailboxes' content - Direct delegations are not listed - Example : Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 2, Parsers: 4, Workbooks: 4, Analytic Rules: 2, Watchlists: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 8, Parsers: 5, Workbooks: 4, Analytic Rules: 2, Watchlists: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3371,6 +6368,36 @@ "contentId": "[variables('_dataConnectorContentId2')]", "version": "[variables('dataConnectorVersion2')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId3')]", + "version": "[variables('dataConnectorVersion3')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId4')]", + "version": "[variables('dataConnectorVersion4')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId5')]", + "version": "[variables('dataConnectorVersion5')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId6')]", + "version": "[variables('dataConnectorVersion6')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId7')]", + "version": "[variables('dataConnectorVersion7')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId8')]", + "version": "[variables('dataConnectorVersion8')]" + }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", @@ -3391,6 +6418,11 @@ "contentId": "[variables('parserObject4').parserContentId4]", "version": "[variables('parserObject4').parserVersion4]" }, + { + "kind": "Parser", + "contentId": "[variables('parserObject5').parserContentId5]", + "version": "[variables('parserObject5').parserVersion5]" + }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", @@ -3424,12 +6456,12 @@ { "kind": "Watchlist", "contentId": "[variables('_Exchange Services Monitoring')]", - "version": "3.1.5" + "version": "3.3.0" }, { "kind": "Watchlist", "contentId": "[variables('_Exchange VIP')]", - "version": "3.1.5" + "version": "3.3.0" } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml new file mode 100644 index 00000000000..33c7525d895 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml @@ -0,0 +1,183 @@ +id: 0a0f4ea0-6b94-4420-892e-41ca985f2f01 +Function: + Title: Parser for MRA Configuration Data Comparison On-Premises + Version: '1.0.0' + LastUpdated: '2024-08-30' +Category: Microsoft Sentinel Parser +FunctionName: MESCompareDataOnPMRA +FunctionAlias: MESCompareDataOnPMRA +FunctionParams: + - Name: SectionCompare + Type: string + Description: The Section to compare. Default value is "". + Default: '' + - Name: DateCompare + Type: string + Description: The date of the source comparison. Default value is "lastdate". + Default: 'lastdate' + - Name: CurrentDate + Type: string + Description: The date of the target comparison. Default value is "lastdate". + Default: 'lastdate' + - Name: EnvList + Type: string + Description: List of environments to compare. Default value is "All". + Default: 'All' + - Name: TypeEnv + Type: string + Description: Type of environment to compare. Default value is "Online". + Default: 'Online' + - Name: CurrentRole + Type: string + Description: A specific role to compare. Default value is "". + Default: '' + - Name: ExclusionsAcct + Type: dynamic + Description: List of actors to exclude. Default value is "dynamic('')". + Default: dynamic('') +FunctionQuery: | + // Version: 1.0.0 + // Last Updated: 30/08/2024 + // + // DESCRIPTION: + // This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them. + // + // USAGE: + // Parameters : 7 parameters to add during creation. + // 1. SectionCompare, type string, default value "" + // 2. DateCompare, type string, default value "lastdate" + // 3. CurrentDate, type string, default value "lastdate" + // 4. EnvList, type string, default value "All" + // 5. TypeEnv, type string, default value "Online" + // 6. CurrentRole, type string, default value "" + // 7. ExclusionsAcct, type dynamic, default value dynamic("") + // + // Parameters simulation + // If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values. + // + // let SectionCompare = "SampleEntry"; + // let EnvList = "All"; + // let TypeEnv = "Online"; + // let CurrentRole = ""; + // let ExclusionsAcct = dynamic(""); + // let DateCompare = "lastdate"; + // let CurrentDate = "lastdate"; + // + // Parameters definition + let _SectionCompare = SectionCompare; + let _EnvList =EnvList; + let _TypeEnv = TypeEnv; + let _CurrentRole =CurrentRole; + let _ExclusionsAcct = ExclusionsAcct; + let _DateCompare = DateCompare; + let _CurrentDate = CurrentDate; + let _DateCompareB = todatetime(DateCompare); + let _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) + | summarize TimeMax = max(TimeGenerated) + | extend TimeMax = tostring(split(TimeMax,"T")[0]) + | project TimeMax); + let _CurrentDateB = todatetime(toscalar(_currD)); + let BeforeData = + ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv) + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) + | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) + | extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") + | extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend Role = tostring(CmdletResultValue.Role) + ; + let AfterData = + ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) + | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) + | extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") + | extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + ; + let i=0; + let allDataRange = + ESIExchangeConfig_CL + | where TimeGenerated between (_DateCompareB .. _CurrentDateB) + | where ESIEnvironment_s == _EnvList + | where Section_s == "MRA" + | extend CmdletResultValue = parse_json(rawData_s) + | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) + | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) + | extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") + | extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + ; + let DiffAddDataP1 = allDataRange + | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated + ; + let DiffAddDataP2 = allDataRange + | join kind = innerunique (allDataRange ) on WhenCreated + | where WhenCreated >=_DateCompareB + | where bin(WhenCreated,5m)==bin(WhenChanged,5m) + | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; + let DiffAddData = union DiffAddDataP1,DiffAddDataP2 + | extend Actiontype ="Add"; + let DiffRemoveData = allDataRange + | join kind = leftanti AfterData on RoleAssigneeName + | extend Actiontype ="Remove" + | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; + let DiffModifData = union AfterData,allDataRange + | sort by ManagementRoleAssignement,WhenChanged asc + | extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !="" , strcat("📍 ", Status, " (",prev(Status),"->", Status," )"),Status) + | extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !="" , strcat("📍 ", CustomRecipientWriteScope, " (", prev(CustomRecipientWriteScope),"->", CustomRecipientWriteScope, ")"),CustomRecipientWriteScope) + | extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !="" , strcat("📍 ", CustomConfigWriteScope, " (", prev(CustomConfigWriteScope),"->", CustomConfigWriteScope, ")"),CustomConfigWriteScope) + | extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !="" , strcat("📍 ", RecipientWriteScope, " (", prev(RecipientWriteScope),"->", RecipientWriteScope, ")"),RecipientWriteScope) + | extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !="" , strcat("📍 ", ConfigWriteScope, " (", prev(ConfigWriteScope),"->", ConfigWriteScope, ")"),ConfigWriteScope) + | extend ActiontypeR =iff((Status contains "📍" or CustomRecipientWriteScope contains"📍" or CustomConfigWriteScope contains"📍" or RecipientWriteScope contains"📍" or ConfigWriteScope contains"📍" ), i=i + 1, i) + | extend Actiontype =iff(ActiontypeR > 0, "Modif", "NO") + | where ActiontypeR == 1 + | project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; + union DiffAddData, DiffRemoveData, DiffModifData + | extend RoleAssigneeName = iff(RoleAssigneeType == "User", strcat("🧑🦰 ", RoleAssigneeName), strcat("👪 ", RoleAssigneeName)) + | extend WhenChanged = iff (Actiontype == "Modif", WhenChanged, iff(Actiontype == "Add",WhenCreated, WhenChanged)) + //| extend WhenChanged = case(Actiontype == "Modif" , tostring(bin(WhenChanged,1m)), Actiontype == "Add",tostring(bin(WhenChanged,1m)),Actiontype == "Remove","NoInformation","N/A") + | extend Actiontype = case(Actiontype == "Add", strcat("➕ ", Actiontype), Actiontype == "Remove", strcat("➖ ", Actiontype), Actiontype == "Modif", strcat("📍 ", Actiontype), "N/A") + | sort by WhenChanged desc + | project + WhenChanged, + Actiontype, + RoleAssigneeName, + RoleAssigneeType, + Status, + CustomRecipientWriteScope, + CustomConfigWriteScope, + RecipientWriteScope, + ConfigWriteScope, + ManagementRoleAssignement, + RoleAssignmentDelegationType, + WhenCreated \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md index 56b98e50e99..d3e7780a041 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md @@ -28,6 +28,10 @@ Parsers are created [using functions in Azure monitor log queries](https://docs. - [Parser Description](#parser-description-3) - [Parser dependency](#parser-dependency-1) - [Parser Setup](#parser-setup-3) + - [Microsoft Exchange Compare Data MRA Parser for On-Premises](#microsoft-exchange-compare-data-mra-parser-for-on-premises) + - [Parser Definition](#parser-definition-4) + - [Parser Description](#parser-description-4) + - [Parser Setup](#parser-setup-4) ## ExchangeConfiguration Parser @@ -184,3 +188,39 @@ This parser is linked to "ExchangeVIP" whatchlist >1 parameter to add during creation : UserToCheck, type string, No default value 1. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries + +## Microsoft Exchange Compare Data MRA Parser for On-Premises + +### Parser Definition + +- Title: Microsoft Exchange Compare Data MRA Parser for On-Premises +- Version: 1.0.0 +- Last Updated: 30/08/2024 +- Description: This parser compare data from MRA and ESI Exchange Collector to find differences + +|**Version** |**Details** | +|---------|-----------------------------------------------------------------------------------------------------------------------| +|v1.0 |\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20Online/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 1, **Parsers:** 6, **Workbooks:** 4, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20Online/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 1, **Parsers:** 5, **Workbooks:** 4, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -67,7 +67,7 @@
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The solution installs six (6) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, MESCheckVIP and ExchangeEnvironmentList Kusto Function aliases."
+ "text": "The solution installs five (5) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, MESCheckVIP and ExchangeEnvironmentList, MESOfficeActivityLogs and MESCompareDataMRA Kusto Function aliases."
}
},
{
@@ -139,7 +139,7 @@
{
"name": "workbook3",
"type": "Microsoft.Common.Section",
- "label": "Microsoft Exchange Online Admin Activity",
+ "label": "Microsoft Exchange Admin Activity - Online",
"elements": [
{
"name": "workbook3-text",
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json
index e06b0e19132..1ead482a520 100644
--- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json
+++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json
@@ -46,7 +46,7 @@
},
"workbook3-name": {
"type": "string",
- "defaultValue": "Microsoft Exchange Online Admin Activity",
+ "defaultValue": "Microsoft Exchange Admin Activity - Online",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
@@ -70,12 +70,12 @@
}
},
"variables": {
- "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-esionline",
- "_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Microsoft Exchange Security - Exchange Online",
- "_solutionVersion": "3.1.5",
+ "_solutionVersion": "3.1.6",
+ "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-esionline",
+ "_solutionId": "[variables('solutionId')]",
"uiConfigId1": "ESI-ExchangeOnlineCollector",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "ESI-ExchangeOnlineCollector",
@@ -100,32 +100,25 @@
"parserContentId2": "ExchangeEnvironmentList-Parser"
},
"parserObject3": {
- "_parserName3": "[concat(parameters('workspace'),'/','MESCheckVIP Data Parser')]",
- "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP Data Parser')]",
- "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckVIP-Parser')))]",
+ "_parserName3": "[concat(parameters('workspace'),'/','MESCheckOnlineVIP Data Parser')]",
+ "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]",
+ "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckOnlineVIP-Parser')))]",
"parserVersion3": "1.0.0",
- "parserContentId3": "MESCheckVIP-Parser"
+ "parserContentId3": "MESCheckOnlineVIP-Parser"
},
"parserObject4": {
- "_parserName4": "[concat(parameters('workspace'),'/','MESCheckOnlineVIP Data Parser')]",
- "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]",
- "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckOnlineVIP-Parser')))]",
- "parserVersion4": "1.0.0",
- "parserContentId4": "MESCheckOnlineVIP-Parser"
+ "_parserName4": "[concat(parameters('workspace'),'/','MESCompareDataMRA Data Parser')]",
+ "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]",
+ "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCompareDataMRA-Parser')))]",
+ "parserVersion4": "1.1.0",
+ "parserContentId4": "MESCompareDataMRA-Parser"
},
"parserObject5": {
- "_parserName5": "[concat(parameters('workspace'),'/','MESCompareDataMRA Data Parser')]",
- "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]",
- "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCompareDataMRA-Parser')))]",
+ "_parserName5": "[concat(parameters('workspace'),'/','MESOfficeActivityLogs Data Parser')]",
+ "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]",
+ "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESOfficeActivityLogs-Parser')))]",
"parserVersion5": "1.0.0",
- "parserContentId5": "MESCompareDataMRA-Parser"
- },
- "parserObject6": {
- "_parserName6": "[concat(parameters('workspace'),'/','MESOfficeActivityLogs Data Parser')]",
- "_parserId6": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]",
- "parserTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESOfficeActivityLogs-Parser')))]",
- "parserVersion6": "1.0.0",
- "parserContentId6": "MESOfficeActivityLogs-Parser"
+ "parserContentId5": "MESOfficeActivityLogs-Parser"
},
"workbookVersion1": "1.1.0",
"workbookContentId1": "MicrosoftExchangeLeastPrivilegewithRBAC-Online",
@@ -140,7 +133,7 @@
"workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]",
"_workbookContentId2": "[variables('workbookContentId2')]",
"_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]",
- "workbookVersion3": "1.0.0",
+ "workbookVersion3": "1.0.1",
"workbookContentId3": "MicrosoftExchangeAdminActivity-Online",
"workbookId3": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId3'))]",
"workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]",
@@ -166,7 +159,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Exchange Security - Exchange Online data connector with template version 3.1.5",
+ "description": "Microsoft Exchange Security - Exchange Online data connector with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -201,7 +194,7 @@
"dataTypes": [
{
"name": "ESIExchangeOnlineConfig_CL",
- "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)"
+ "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time"
}
],
"connectivityCriterias": [
@@ -518,7 +511,7 @@
"dataTypes": [
{
"name": "ESIExchangeOnlineConfig_CL",
- "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)"
+ "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time"
}
],
"connectivityCriterias": [
@@ -744,7 +737,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ExchangeConfiguration Data Parser with template version 3.1.5",
+ "description": "ExchangeConfiguration Data Parser with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -874,7 +867,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ExchangeEnvironmentList Data Parser with template version 3.1.5",
+ "description": "ExchangeEnvironmentList Data Parser with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -1004,7 +997,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MESCheckVIP Data Parser with template version 3.1.5",
+ "description": "MESCheckOnlineVIP Data Parser with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject3').parserVersion3]",
@@ -1018,10 +1011,10 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "Parser for VIP Check for Exchange",
+ "displayName": "Parser for VIP Check for Exchange Online",
"category": "Microsoft Sentinel Parser",
- "functionAlias": "MESCheckVIP",
- "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\nlet Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ canonicalName \n or _UserToCheck =~ displayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck =~ objectSID \n or _UserToCheck == tostring(objectGUID) \n or _UserToCheck =~ distinguishedName\n or _UserToCheck == \"All\"\n | extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",displayName,\"#\",userPrincipalName,\"#\",sAMAccountName,\"#\",objectGUID,\"#\",objectSID,\"#\",distinguishedName,\"#\"),_UserToCheck);\nSearchUser\n",
+ "functionAlias": "MESCheckOnlineVIP",
+ "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n",
"functionParameters": "UserToCheck:string='All'",
"version": 2,
"tags": [
@@ -1040,7 +1033,7 @@
"[variables('parserObject3')._parserId3]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]",
"contentId": "[variables('parserObject3').parserContentId3]",
"kind": "Parser",
"version": "[variables('parserObject3').parserVersion3]",
@@ -1069,7 +1062,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject3').parserContentId3]",
"contentKind": "Parser",
- "displayName": "Parser for VIP Check for Exchange",
+ "displayName": "Parser for VIP Check for Exchange Online",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]",
"version": "[variables('parserObject3').parserVersion3]"
@@ -1082,10 +1075,10 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "Parser for VIP Check for Exchange",
+ "displayName": "Parser for VIP Check for Exchange Online",
"category": "Microsoft Sentinel Parser",
- "functionAlias": "MESCheckVIP",
- "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\nlet Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ canonicalName \n or _UserToCheck =~ displayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck =~ objectSID \n or _UserToCheck == tostring(objectGUID) \n or _UserToCheck =~ distinguishedName\n or _UserToCheck == \"All\"\n | extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",displayName,\"#\",userPrincipalName,\"#\",sAMAccountName,\"#\",objectGUID,\"#\",objectSID,\"#\",distinguishedName,\"#\"),_UserToCheck);\nSearchUser\n",
+ "functionAlias": "MESCheckOnlineVIP",
+ "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n",
"functionParameters": "UserToCheck:string='All'",
"version": 2,
"tags": [
@@ -1105,7 +1098,7 @@
"[variables('parserObject3')._parserId3]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]",
"contentId": "[variables('parserObject3').parserContentId3]",
"kind": "Parser",
"version": "[variables('parserObject3').parserVersion3]",
@@ -1134,7 +1127,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MESCheckOnlineVIP Data Parser with template version 3.1.5",
+ "description": "MESCompareDataMRA Data Parser with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject4').parserVersion4]",
@@ -1148,11 +1141,11 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "Parser for VIP Check for Exchange Online",
+ "displayName": "Parser for MRA Configuration Data Comparison",
"category": "Microsoft Sentinel Parser",
- "functionAlias": "MESCheckOnlineVIP",
- "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n",
- "functionParameters": "UserToCheck:string='All'",
+ "functionAlias": "MESCompareDataMRA",
+ "query": "// Version: 1.1.0\n// Last Updated: 30/08/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope))\n | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name))\n | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n",
+ "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')",
"version": 2,
"tags": [
{
@@ -1170,7 +1163,7 @@
"[variables('parserObject4')._parserId4]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]",
"contentId": "[variables('parserObject4').parserContentId4]",
"kind": "Parser",
"version": "[variables('parserObject4').parserVersion4]",
@@ -1199,9 +1192,9 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject4').parserContentId4]",
"contentKind": "Parser",
- "displayName": "Parser for VIP Check for Exchange Online",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]",
+ "displayName": "Parser for MRA Configuration Data Comparison",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.1.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.1.0')))]",
"version": "[variables('parserObject4').parserVersion4]"
}
},
@@ -1212,11 +1205,11 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "Parser for VIP Check for Exchange Online",
+ "displayName": "Parser for MRA Configuration Data Comparison",
"category": "Microsoft Sentinel Parser",
- "functionAlias": "MESCheckOnlineVIP",
- "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n",
- "functionParameters": "UserToCheck:string='All'",
+ "functionAlias": "MESCompareDataMRA",
+ "query": "// Version: 1.1.0\n// Last Updated: 30/08/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope))\n | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name))\n | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n",
+ "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')",
"version": 2,
"tags": [
{
@@ -1235,7 +1228,7 @@
"[variables('parserObject4')._parserId4]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]",
"contentId": "[variables('parserObject4').parserContentId4]",
"kind": "Parser",
"version": "[variables('parserObject4').parserVersion4]",
@@ -1264,7 +1257,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MESCompareDataMRA Data Parser with template version 3.1.5",
+ "description": "MESOfficeActivityLogs Data Parser with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject5').parserVersion5]",
@@ -1278,11 +1271,11 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "Parser for MRA Configuration Data Comparison",
+ "displayName": "Parser for Office Activity Logs",
"category": "Microsoft Sentinel Parser",
- "functionAlias": "MESCompareDataMRA",
- "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n",
- "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')",
+ "functionAlias": "MESOfficeActivityLogs",
+ "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\nlet CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n let fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\n let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.DisplayName | project TargetObject,SearchKey;\n let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n union isfuzzy=true withsource=TableName \n SearchUserDisplayName,\n SearchUserSAMAccountName, \n SearchUserUPN\n };\nlet EventList = OfficeActivity\n | where RecordType == \"ExchangeAdmin\"\n | where UserType <> \"DcAdmin\" and UserKey !contains \"NT AUTHORITY\"\n | extend CmdletName = Operation\n | extend Param = replace_string(replace_string((replace_string(Parameters,'[{\"Name\":\"','-')),'\",\"Value\":\"',' : '),'\"},{\"Name\":\"',', -')\n // | extend Param = replace_string((replace_string(Parameters,'\",\"Value\":\"',' : ')),'\"},{\"Name\":\"',' -')\n | extend Param = replace_string((replace_string(Param,'\"},{\"',' ; ')),'\"}]','')\n | extend Param = replace_string(Param,'\\\\\\\\','\\\\')\n | extend TargetObject = tostring(split(split(Param,\"-Identity : \")[1],' -')[0])\n | extend TargetObject = replace_string(TargetObject,',','')\n | extend TargetObject = iff(TargetObject==\"\",TargetObject=\"N/A\",TargetObject);\nlet Office_Activity = (){\nEventList\n | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n | extend IsVIP = iif(SearchKey == \"\", false, true)\n | join kind=leftouter ( \n MESCheckOnlineVIP() ) on SearchKey\n | extend CmdletNameJoin = tolower(CmdletName)\n | join kind=leftouter ( \n CmdletCheck\n | extend CmdletNameJoin = tolower(Cmdlet)\n ) on CmdletNameJoin\n | extend Caller = UserId\n | extend CmdletParameters = Param\n | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters1),';'), dynamic(null))\n | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n | project TimeGenerated,Caller,TargetObject,IsVIP,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented\n};\nOffice_Activity\n",
+ "functionParameters": "",
"version": 2,
"tags": [
{
@@ -1300,7 +1293,7 @@
"[variables('parserObject5')._parserId5]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]",
"contentId": "[variables('parserObject5').parserContentId5]",
"kind": "Parser",
"version": "[variables('parserObject5').parserVersion5]",
@@ -1329,7 +1322,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject5').parserContentId5]",
"contentKind": "Parser",
- "displayName": "Parser for MRA Configuration Data Comparison",
+ "displayName": "Parser for Office Activity Logs",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]",
"version": "[variables('parserObject5').parserVersion5]"
@@ -1340,136 +1333,6 @@
"apiVersion": "2022-10-01",
"name": "[variables('parserObject5')._parserName5]",
"location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "Parser for MRA Configuration Data Comparison",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "MESCompareDataMRA",
- "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n",
- "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": ""
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]",
- "dependsOn": [
- "[variables('parserObject5')._parserId5]"
- ],
- "properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]",
- "contentId": "[variables('parserObject5').parserContentId5]",
- "kind": "Parser",
- "version": "[variables('parserObject5').parserVersion5]",
- "source": {
- "kind": "Solution",
- "name": "Microsoft Exchange Security - Exchange Online",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Community",
- "tier": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('parserObject6').parserTemplateSpecName6]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "MESOfficeActivityLogs Data Parser with template version 3.1.5",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserObject6').parserVersion6]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[variables('parserObject6')._parserName6]",
- "apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "Parser for Office Activity Logs",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "MESOfficeActivityLogs",
- "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\nlet CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n let fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\n let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.DisplayName | project TargetObject,SearchKey;\n let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n union isfuzzy=true withsource=TableName \n SearchUserDisplayName,\n SearchUserSAMAccountName, \n SearchUserUPN\n };\nlet EventList = OfficeActivity\n | where RecordType == \"ExchangeAdmin\"\n | where UserType <> \"DcAdmin\" and UserKey !contains \"NT AUTHORITY\"\n | extend CmdletName = Operation\n | extend Param = replace_string(replace_string((replace_string(Parameters,'[{\"Name\":\"','-')),'\",\"Value\":\"',' : '),'\"},{\"Name\":\"',', -')\n // | extend Param = replace_string((replace_string(Parameters,'\",\"Value\":\"',' : ')),'\"},{\"Name\":\"',' -')\n | extend Param = replace_string((replace_string(Param,'\"},{\"',' ; ')),'\"}]','')\n | extend Param = replace_string(Param,'\\\\\\\\','\\\\')\n | extend TargetObject = tostring(split(split(Param,\"-Identity : \")[1],' -')[0])\n | extend TargetObject = replace_string(TargetObject,',','')\n | extend TargetObject = iff(TargetObject==\"\",TargetObject=\"N/A\",TargetObject);\nlet Office_Activity = (){\nEventList\n | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n | extend IsVIP = iif(SearchKey == \"\", false, true)\n | join kind=leftouter ( \n MESCheckOnlineVIP() ) on SearchKey\n | extend CmdletNameJoin = tolower(CmdletName)\n | join kind=leftouter ( \n CmdletCheck\n | extend CmdletNameJoin = tolower(Cmdlet)\n ) on CmdletNameJoin\n | extend Caller = UserId\n | extend CmdletParameters = Param\n | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters1),';'), dynamic(null))\n | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n | project TimeGenerated,Caller,TargetObject,IsVIP,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented\n};\nOffice_Activity\n",
- "functionParameters": "",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": ""
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]",
- "dependsOn": [
- "[variables('parserObject6')._parserId6]"
- ],
- "properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]",
- "contentId": "[variables('parserObject6').parserContentId6]",
- "kind": "Parser",
- "version": "[variables('parserObject6').parserVersion6]",
- "source": {
- "name": "Microsoft Exchange Security - Exchange Online",
- "kind": "Solution",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Community",
- "tier": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('parserObject6').parserContentId6]",
- "contentKind": "Parser",
- "displayName": "Parser for Office Activity Logs",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]",
- "version": "[variables('parserObject6').parserVersion6]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "[variables('parserObject6')._parserName6]",
- "location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Parser for Office Activity Logs",
@@ -1490,15 +1353,15 @@
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]",
"dependsOn": [
- "[variables('parserObject6')._parserId6]"
+ "[variables('parserObject5')._parserId5]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]",
- "contentId": "[variables('parserObject6').parserContentId6]",
+ "contentId": "[variables('parserObject5').parserContentId5]",
"kind": "Parser",
- "version": "[variables('parserObject6').parserVersion6]",
+ "version": "[variables('parserObject5').parserVersion5]",
"source": {
"kind": "Solution",
"name": "Microsoft Exchange Security - Exchange Online",
@@ -1524,7 +1387,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Exchange Least Privilege with RBAC - Online Workbook with template version 3.1.5",
+ "description": "Microsoft Exchange Least Privilege with RBAC - Online Workbook with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -1542,7 +1405,7 @@
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"e59f0f7f-fd05-4ec8-9f59-e4d9c3b589f2\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Current RBAC Delegation\",\"subTarget\":\"RBACDelegation\",\"preText\":\"RBAC Delegation\",\"postText\":\"\",\"style\":\"link\"},{\"id\":\"26056188-7abf-4913-a927-806099e616eb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Custom Roles\",\"subTarget\":\"CustomRole\",\"style\":\"link\"},{\"id\":\"5eeebe10-be67-4f8a-9d91-4bc6c70c3e16\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"start\",\"style\":\"link\"}]},\"name\":\"links - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The current delegation are compared to an export of default delegation available on Exchange Online.\\r\\n\\r\\nTo find which is used for the comparaison please follow this link.\\r\\nThe export is located on the public GitHub of the project.\\r\\n\\r\\ncheck this link : https://aka.ms/esiwatchlist\\r\\n\\r\\nIt will be updated by the team project.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on User Accounts\",\"items\":[{\"type\":1,\"content\":{\"json\":\" Custom Delegation on User Accounts\"},\"name\":\"text - 2 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d9d4e0a2-b75d-4825-9f4e-7606516500e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cf5959fa-a833-4bb2-90bd-d4c90dca5506\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| project Name, Role, RoleAssigneeName,Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope\\r\\n| sort by RoleAssigneeName asc\\r\\n\",\"size\":3,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on User Accounts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done directly to a user account.\\r\\n\\r\\nDetailed information for the user accounts will be displayed.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nThese types of delegations are not available on the Exchange Admin Center.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done directly to service account. Being able to see this delegation will help to sanityze the environment as some delegations may be no more necessary\\r\\n\\r\\n - Delegation done by mistake directly to Administrator Accounts\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\n\\r\\nDetailed information for the user accounts will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on Groups\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Custom Delegation on Groups\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c548eb09-54e3-41bf-a99d-be3534f7018b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f5511a2b-9bf6-48ae-a968-2d1f879c8bfa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustMailRecipients\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nlet RoleG = ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n | project RoleAssigneeName=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend ManagementRoleAssignment = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n|lookup RoleG on RoleAssigneeName \\r\\n| project-away CmdletResultValue\\r\\n| sort by RoleAssigneeName asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on Groups\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done for standard and non standard groups. Indeed, default groups have a list of default delegations but an Exchange administrators can add also new roles to the default groups.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done for Organization Management to role like Mailbox Import Export or Mailbox Search\\r\\n\\r\\n - Delegation done by mistake\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\nDetailed information for the user accounts present in the groups will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"RBACDelegation\"},\"name\":\"Custom Delegation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### How to user this tab\\r\\n**1 - Select an account** : All the Cmdlet launched by the account during the selected time frame will be displayer.\\r\\n\\r\\n**2 - Select a cmdlet** : All the roles that contain will be displayed\\r\\n\\r\\n**3 - Review the list of roles** : This table contains all the roles that contain the selected Cmdlet\\r\\n\\r\\n\",\"style\":\"info\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### How to undertand the \\\"List of Roles with this CmdLet\\\" table ? \\r\\n\\r\\n**WeightRole :** Display the wieight of this role based on its importance in terms of security risk\\r\\n\\r\\n**SumRole :** Among all the Cmdlet launched by the account during the defined time frame, this role available for x cmdlet. This role include x cmdlet run by the user.\\r\\n\\r\\n**OrgMgmtRole :** This role is really in the scope of Organization Management group. If the selected Cmdlet is not included is any other role, it make sense that this user is member of the Organization Management group\\r\\n\\r\\n \",\"style\":\"upsell\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CounUserCmdlet = (ExchangeAdminAuditLogs\\r\\n| where Status == \\\"Success\\\"\\r\\n| extend Caller = tostring(split(Caller,\\\"/\\\")[countof(Caller,\\\"/\\\")])\\r\\n| summarize Count=count() by Caller);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"Organization Management\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where CmdletResultValue.ObjectClass == \\\"user\\\"\\r\\n//| project CmdletResultValue,Count\\r\\n| extend Account = tostring(CmdletResultValue.SamAccountName)\\r\\n| join kind=leftouter (CounUserCmdlet) on $left.Account == $right.Caller\\r\\n| project Account,Count\\r\\n//| project-away CmdletResultValue\\r\\n| sort by Account asc\",\"size\":3,\"title\":\"Organization Management Members\",\"exportFieldName\":\"Account\",\"exportParameterName\":\"Account\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purple\"}}]}},\"customWidth\":\"20\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeAdminAuditLogs\\r\\n| where Caller contains \\\"{Account}\\\"\\r\\n| where Status == \\\"Success\\\"\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"size\":3,\"title\":\"List of CmdLet run by the account\",\"exportFieldName\":\"CmdletName\",\"exportParameterName\":\"CmdletName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter ( RBACRoleCmdlet ) on Role\\r\\n| where Name has \\\"{CmdletName}\\\"\\r\\n| extend PossibleRoles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n|distinct PossibleRoles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by SumRole,RoleWeight\\r\\n\",\"size\":3,\"title\":\"List of Roles with this CmdLet\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"customWidth\":\"40\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"0\",\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where TimeGenerated {TimeRange} | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter ( RBACRoleCmdlet ) on Role\\r\\n| extend Roles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n| extend CmdletList=tostring(CmdletList)\\r\\n| summarize by Roles,CmdletList,RoleWeight,tostring(SumRole),OrgMgmtRole\\r\\n| distinct Roles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by Roles asc\",\"size\":0,\"title\":\"Recommended Roles for selected users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"name\":\"query - 3\"}]},\"name\":\"group - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Leastprivileges\"},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Role details\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"List of Custom Roles\",\"items\":[{\"type\":1,\"content\":{\"json\":\"List of existing custom Roles\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"List of Custom with a Management Role Assignement (associated with a group or a user). Display the target account and scope if set\"},\"customWidth\":\"50\",\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| extend ParentRole =split(tostring(CmdletResultValue.Parent),\\\"\\\\\\\\\\\")[1]\\r\\n| project Identity, ParentRole, WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role, Scope, RoleAssigneeName\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project Role,RoleAssigneeName,Scope\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='ITSY', Target = \\\"Online\\\")\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role= tostring(CmdletResultValue.Role), Scope, RoleAssigneeName\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| project Role = Role1, Scope, RoleAssigneeName,Comment = iff(Role == \\\"\\\", \\\"⚠️ No existing delegation for this role\\\", \\\"✅ This role is delegated with a Management Role Assignment\\\")\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Role)\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| summarize acount = count() by iff( Role==\\\"\\\",\\\"Number of non assigned roles\\\", Role)\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 5\"}]},\"name\":\"List of Custom Roles\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Roles delegation on group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows delegation associated with the Custom Roles\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Details for Custom Roles Cmdlets \",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays for the chosen custom management roles all Cmdlets and their parameters associated with this custom role.\\r\\nRemember that for a cmdlet, some parameters can be removed.\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"07c8ac83-371d-4702-ab66-72aeb2a20053\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CustomRole\",\"type\":2,\"isRequired\":true,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| project Identity\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustPF\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustomDetails\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"{CustomRole}\\\"\\r\\n| extend CmdletName = CmdletResultValue.Name\\r\\n| extend Parameters = CmdletResultValue.Parameters\\r\\n| project CmdletName,Parameters\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Details for Custom Roles Cmdlets \"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CustomRole\"},\"name\":\"Custom Role\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeLeastPrivilegewithRBAC-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"e59f0f7f-fd05-4ec8-9f59-e4d9c3b589f2\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Current RBAC Delegation\",\"subTarget\":\"RBACDelegation\",\"preText\":\"RBAC Delegation\",\"postText\":\"\",\"style\":\"link\"},{\"id\":\"26056188-7abf-4913-a927-806099e616eb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Custom Roles\",\"subTarget\":\"CustomRole\",\"style\":\"link\"},{\"id\":\"5eeebe10-be67-4f8a-9d91-4bc6c70c3e16\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"start\",\"style\":\"link\"}]},\"name\":\"links - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The current delegation are compared to an export of default delegation available on Exchange Online.\\r\\n\\r\\nTo find which is used for the comparaison please follow this link.\\r\\nThe export is located on the public GitHub of the project.\\r\\n\\r\\ncheck this link : https://aka.ms/esiwatchlist\\r\\n\\r\\nIt will be updated by the team project.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on User Accounts\",\"items\":[{\"type\":1,\"content\":{\"json\":\" Custom Delegation on User Accounts\"},\"name\":\"text - 2 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d9d4e0a2-b75d-4825-9f4e-7606516500e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cf5959fa-a833-4bb2-90bd-d4c90dca5506\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| project Name, Role, RoleAssigneeName,Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope\\r\\n| sort by RoleAssigneeName asc\\r\\n\",\"size\":3,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on User Accounts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done directly to a user account.\\r\\n\\r\\nDetailed information for the user accounts will be displayed.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nThese types of delegations are not available on the Exchange Admin Center.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done directly to service account. Being able to see this delegation will help to sanityze the environment as some delegations may be no more necessary\\r\\n\\r\\n - Delegation done by mistake directly to Administrator Accounts\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\n\\r\\nDetailed information for the user accounts will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on Groups\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Custom Delegation on Groups\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c548eb09-54e3-41bf-a99d-be3534f7018b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f5511a2b-9bf6-48ae-a968-2d1f879c8bfa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustMailRecipients\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nlet RoleG = ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n | project RoleAssigneeName=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend ManagementRoleAssignment = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n|lookup RoleG on RoleAssigneeName \\r\\n| project-away CmdletResultValue\\r\\n| sort by RoleAssigneeName asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on Groups\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done for standard and non standard groups. Indeed, default groups have a list of default delegations but an Exchange administrators can add also new roles to the default groups.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done for Organization Management to role like Mailbox Import Export or Mailbox Search\\r\\n\\r\\n - Delegation done by mistake\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\nDetailed information for the user accounts present in the groups will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"RBACDelegation\"},\"name\":\"Custom Delegation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### How to user this tab\\r\\n**1 - Select an account** : All the Cmdlet launched by the account during the selected time frame will be displayer.\\r\\n\\r\\n**2 - Select a cmdlet** : All the roles that contain will be displayed\\r\\n\\r\\n**3 - Review the list of roles** : This table contains all the roles that contain the selected Cmdlet\\r\\n\\r\\n\",\"style\":\"info\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### How to undertand the \\\"List of Roles with this CmdLet\\\" table ? \\r\\n\\r\\n**WeightRole :** Display the wieight of this role based on its importance in terms of security risk\\r\\n\\r\\n**SumRole :** Among all the Cmdlet launched by the account during the defined time frame, this role available for x cmdlet. This role include x cmdlet run by the user.\\r\\n\\r\\n**OrgMgmtRole :** This role is really in the scope of Organization Management group. If the selected Cmdlet is not included is any other role, it make sense that this user is member of the Organization Management group\\r\\n\\r\\n \",\"style\":\"upsell\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CounUserCmdlet = (ExchangeAdminAuditLogs\\r\\n| where Status == \\\"Success\\\"\\r\\n| extend Caller = tostring(split(Caller,\\\"/\\\")[countof(Caller,\\\"/\\\")])\\r\\n| summarize Count=count() by Caller);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"Organization Management\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where CmdletResultValue.ObjectClass == \\\"user\\\"\\r\\n//| project CmdletResultValue,Count\\r\\n| extend Account = tostring(CmdletResultValue.SamAccountName)\\r\\n| join kind=leftouter (CounUserCmdlet) on $left.Account == $right.Caller\\r\\n| project Account,Count\\r\\n//| project-away CmdletResultValue\\r\\n| sort by Account asc\",\"size\":3,\"title\":\"Organization Management Members\",\"exportFieldName\":\"Account\",\"exportParameterName\":\"Account\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purple\"}}]}},\"customWidth\":\"20\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeAdminAuditLogs\\r\\n| where Caller contains \\\"{Account}\\\"\\r\\n| where Status == \\\"Success\\\"\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"size\":3,\"title\":\"List of CmdLet run by the account\",\"exportFieldName\":\"CmdletName\",\"exportParameterName\":\"CmdletName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter ( RBACRoleCmdlet ) on Role\\r\\n| where Name has \\\"{CmdletName}\\\"\\r\\n| extend PossibleRoles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n|distinct PossibleRoles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by SumRole,RoleWeight\\r\\n\",\"size\":3,\"title\":\"List of Roles with this CmdLet\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"customWidth\":\"40\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"0\",\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where TimeGenerated {TimeRange} | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter ( RBACRoleCmdlet ) on Role\\r\\n| extend Roles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n| extend CmdletList=tostring(CmdletList)\\r\\n| summarize by Roles,CmdletList,RoleWeight,tostring(SumRole),OrgMgmtRole\\r\\n| distinct Roles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by Roles asc\",\"size\":0,\"title\":\"Recommended Roles for selected users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"name\":\"query - 3\"}]},\"name\":\"group - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Leastprivileges\"},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Role details\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"List of Custom Roles\",\"items\":[{\"type\":1,\"content\":{\"json\":\"List of existing custom Roles\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"List of Custom with a Management Role Assignement (associated with a group or a user). Display the target account and scope if set\"},\"customWidth\":\"50\",\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| extend ParentRole =split(tostring(CmdletResultValue.Parent),\\\"\\\\\\\\\\\")[1]\\r\\n| project Identity, ParentRole, WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role, Scope, RoleAssigneeName\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project Role,RoleAssigneeName,Scope\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='ITSY', Target = \\\"Online\\\")\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role= tostring(CmdletResultValue.Role), Scope, RoleAssigneeName\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| project Role = Role1, Scope, RoleAssigneeName,Comment = iff(Role == \\\"\\\", \\\"⚠️ No existing delegation for this role\\\", \\\"✅ This role is delegated with a Management Role Assignment\\\")\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Role)\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| summarize acount = count() by iff( Role==\\\"\\\",\\\"Number of non assigned roles\\\", Role)\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 5\"}]},\"name\":\"List of Custom Roles\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Roles delegation on group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows delegation associated with the Custom Roles\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Details for Custom Roles Cmdlets \",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays for the chosen custom management roles all Cmdlets and their parameters associated with this custom role.\\r\\nRemember that for a cmdlet, some parameters can be removed.\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"07c8ac83-371d-4702-ab66-72aeb2a20053\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CustomRole\",\"type\":2,\"isRequired\":true,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| project Identity\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustPF\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustomDetails\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"{CustomRole}\\\"\\r\\n| extend CmdletName = CmdletResultValue.Name\\r\\n| extend Parameters = CmdletResultValue.Parameters\\r\\n| project CmdletName,Parameters\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Details for Custom Roles Cmdlets \"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CustomRole\"},\"name\":\"Custom Role\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeLeastPrivilegewithRBAC-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -1611,7 +1474,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Exchange Security Review - Online Workbook with template version 3.1.5",
+ "description": "Microsoft Exchange Security Review - Online Workbook with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -1629,7 +1492,7 @@
},
"properties": {
"displayName": "[parameters('workbook2-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review Online\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"181fa282-a002-42f1-ad57-dfb86df3194e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Compare_Collect\",\"type\":10,\"description\":\"If this button is checked, two collections will be compared\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a9e0099e-5eb1-43b8-915c-587aa05bccf0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateCompare\",\"type\":2,\"description\":\"Date to Comapre\",\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nAdjust the time range, and when needed select an item in the dropdownlist\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"EXO & Azure AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":1,\"content\":{\"json\":\"To compare collects, select **Yes** and choose the initial date.\\r\\nFor each role, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\\r\\n\\r\\n**Important notes** : Some information are limited are may be not 100% accurate :\\r\\n - Date\\r\\n - GUID of user instead of the name\\r\\n - Fusion of modifications when a role assisgnment is changed within the same collect \\r\\n - ... \\r\\n\\r\\nThis is due to some restrictions in the collect. For more details information, please check the workbook **\\\"Microsoft Exchange Search AdminAuditLog - Online\\\"**\\r\\n.\\r\\n\\r\\nThe compare functionnality is not available for all sections in this workbook.\\r\\n\"},\"name\":\"text - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange on-premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Display important security configurations that allow to access mailboxes' content. Direct delegations on mailboxes are not listed (Full Access permission mailboxes or direct delegations on mailboxes folders)\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !contains \\\"Deleg\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| where CmdletResultValue.Role contains \\\"Export\\\" or CmdletResultValue.Role contains \\\"Impersonation\\\" or CmdletResultValue.Role contains \\\"Search\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role)\",\"size\":3,\"title\":\"Number of accounts with sensitive RBAC roles\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes. This role is very powerfull and should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\nIt is common to see service accounts for backup solution, antivirus software, MDM...\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SensitiveRBACHelp\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to access and modify the content of every mailboxes using EWS.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"Impersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Impersonation\\\")\",\"size\":3,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to import contents in all mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export** is an RBAC role that allows an account to import (export is not available online) contant in a user mailbox. It also allows searches in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- create an empty group with this delegation\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"export\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"export\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to search inside all or in a scope of mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\nDiscovery Management has been excluded\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- add the administrators in the Discovery Management group\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"search\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"Group\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"Search\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Search Role\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange Group\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required pernissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n - TenantAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n - Organization Management\\r\\n - ExchangeServiceAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n - Discovery Management\\r\\n - Hygiene Management\\r\\n - Security Administrator (Membership in this role group is synchronized across services and managed centrally)\\r\\n - xxx High privilege group (not an exhaustive list)\\r\\n - Compliance Management\\r\\n - All RBAC groups that have high roles delegation\\r\\n - All nested groups in high privileges groups\\r\\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\" Number of direct members per group with RecipientType User\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n//| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| where RoleGroup has_any (\\\"TenantAdmins\\\",\\\"Organization Management\\\", \\\"Discovery Management\\\", \\\"Compliance Management\\\", \\\"Server Management\\\", \\\"ExchangeServiceAdmins\\\",\\\"Security Administrator\\\", \\\"SecurityAdmins\\\", \\\"Recipient Manangement\\\", \\\"Records Manangement\\\",\\\"Impersonation\\\",\\\"Export\\\")\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Number of direct members per group with RecipientType User\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList - Copy\"},{\"type\":1,\"content\":{\"json\":\"Exchange Online groups content.\\r\\nSelect a group to display detailed information of its contents.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Name)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\nExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.RoleGroup == \\\"{Group}\\\"\\r\\n//| where CmdletResultValue.Level != 0\\r\\n| project CmdletResultValue\\r\\n| extend Members = tostring(CmdletResultValue.Identity)\\r\\n//| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n//| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n//| extend Level = tostring(CmdletResultValue.Level)\\r\\n//| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n//| extend LastLogon = CmdletResultValue.LastLogonString\\r\\n//| extend LastLogon = iif ( todatetime (CmdletResultValue.LastLogonString) < ago(-366d), CmdletResultValue.LastLogonString,strcat(\\\"💥\\\",CmdletResultValue.LastLogonString))\\r\\n//| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend Members = case( CmdletResultValue.RecipientType == \\\"Group\\\", strcat( \\\"👪 \\\", Members), strcat( \\\"🧑🦰 \\\", Members) )\\r\\n| extend RecipientType = tostring(CmdletResultValue.RecipientType)\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Exchange group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Inbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Inbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"InBoundC\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend SenderIPAddresses = iff( Identity == prev(Identity) and SenderIPAddresses != prev(SenderIPAddresses) and prev(SenderIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIPAddresses, \\\" (\\\",prev(SenderIPAddresses),\\\"->\\\", SenderIPAddresses,\\\" )\\\"),SenderIPAddresses)\\r\\n| extend SenderDomains = iff( Identity == prev(Identity) and SenderDomains != prev(SenderDomains) and prev(SenderDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderDomains, \\\" (\\\",prev(SenderDomains),\\\"->\\\", SenderDomains,\\\" )\\\"),SenderDomains)\\r\\n| extend TrustedOrganizations = iff( Identity == prev(Identity) and TrustedOrganizations != prev(TrustedOrganizations) and prev(TrustedOrganizations) !=\\\"\\\" , strcat(\\\"📍 \\\", TrustedOrganizations, \\\" (\\\",prev(TrustedOrganizations),\\\"->\\\", TrustedOrganizations,\\\" )\\\"),TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = iff (Identity == prev(Identity) and AssociatedAcceptedDomainsRequireTls != prev(AssociatedAcceptedDomainsRequireTls) and prev(AssociatedAcceptedDomainsRequireTls) !=\\\"\\\" , strcat(\\\"📍 \\\", AssociatedAcceptedDomainsRequireTls, \\\" (\\\",prev(AssociatedAcceptedDomainsRequireTls),\\\"->\\\", AssociatedAcceptedDomainsRequireTls,\\\" )\\\"),AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = iff(Identity == prev(Identity) and RestrictDomainsToIPAddresses != prev(RestrictDomainsToIPAddresses) and prev(RestrictDomainsToIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToIPAddresses, \\\" (\\\",prev(RestrictDomainsToIPAddresses),\\\"->\\\", RestrictDomainsToIPAddresses,\\\" )\\\"),RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = iff( Identity == prev(Identity) and RestrictDomainsToCertificate != prev(RestrictDomainsToCertificate) and prev(RestrictDomainsToCertificate) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToCertificate, \\\" (\\\",prev(RestrictDomainsToCertificate),\\\"->\\\", RestrictDomainsToCertificate,\\\" )\\\"),RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = iff( Identity == prev(Identity) and TreatMessagesAsInternal != prev(TreatMessagesAsInternal) and prev(TreatMessagesAsInternal) !=\\\"\\\" , strcat(\\\"📍 \\\", TreatMessagesAsInternal, \\\" (\\\",prev(TreatMessagesAsInternal),\\\"->\\\", TreatMessagesAsInternal,\\\" )\\\"),TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = iff(Identity == prev(Identity) and TlsSenderCertificateName != prev(TlsSenderCertificateName) and prev(TlsSenderCertificateName) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsSenderCertificateName, \\\" (\\\",prev(TlsSenderCertificateName),\\\"->\\\", TlsSenderCertificateName,\\\" )\\\"),TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = iff( Identity == prev(Identity) and ScanAndDropRecipients != prev(ScanAndDropRecipients) and prev(ScanAndDropRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ScanAndDropRecipients, \\\" (\\\",prev(ScanAndDropRecipients),\\\"->\\\", ScanAndDropRecipients,\\\" )\\\"),ScanAndDropRecipients)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\" or SenderIPAddresses contains \\\"📍\\\" or SenderDomains contains \\\"📍\\\" or TrustedOrganizations contains \\\"📍\\\" or AssociatedAcceptedDomainsRequireTls contains \\\"📍\\\" or RestrictDomainsToIPAddresses contains \\\"📍\\\" or RestrictDomainsToCertificate contains \\\"📍\\\" or CloudServicesMailEnabled contains \\\"📍\\\" or TreatMessagesAsInternal contains \\\"📍\\\" or TlsSenderCertificateName contains \\\"📍\\\" or ScanAndDropRecipients contains \\\"📍\\\" or Comment contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n State,\\r\\n ConnectorType,\\r\\n ConnectorSource,\\r\\n Comment,\\r\\n SenderIPAddresses,\\r\\n SenderDomains,\\r\\n TrustedOrganizations,\\r\\n AssociatedAcceptedDomainsRequireTls,\\r\\n RestrictDomainsToIPAddresses,\\r\\n RestrictDomainsToCertificate,\\r\\n CloudServicesMailEnabled,\\r\\n TreatMessagesAsInternal,\\r\\n TlsSenderCertificateName,\\r\\n ScanAndDropRecipients,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Inbound Connector configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Outbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n| extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n| extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n| extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n| extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n| extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n| extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n| extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n| extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Outbound Connector configuration - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"OutBoundC\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend Comment = iff( Comment == prev(Comment) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend RecipientDomains = iff( Identity == prev(Identity) and RecipientDomains != prev(RecipientDomains) and prev(RecipientDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", RecipientDomains, \\\" (\\\",prev(RecipientDomains),\\\"->\\\", RecipientDomains,\\\" )\\\"),RecipientDomains)\\r\\n| extend SmartHosts = iff( Identity == prev(Identity) and SmartHosts != prev(SmartHosts) and prev(SmartHosts) !=\\\"\\\" , strcat(\\\"📍 \\\", SmartHosts, \\\" (\\\",prev(SmartHosts),\\\"->\\\", SmartHosts,\\\" )\\\"),SmartHosts)\\r\\n| extend TlsDomain = iff( Identity == prev(Identity) and TlsDomain != prev(TlsDomain) and prev(TlsDomain) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsDomain, \\\" (\\\",prev(TlsDomain),\\\"->\\\", TlsDomain,\\\" )\\\"),TlsDomain)\\r\\n| extend IsTransportRuleScoped = iff( Identity == prev(Identity) and IsTransportRuleScoped != prev(IsTransportRuleScoped) and prev(IsTransportRuleScoped) !=\\\"\\\" , strcat(\\\"📍 \\\", IsTransportRuleScoped, \\\" (\\\",prev(IsTransportRuleScoped),\\\"->\\\", IsTransportRuleScoped,\\\" )\\\"),IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = iff( Identity == prev(Identity) and RouteAllMessagesViaOnPremises != prev(RouteAllMessagesViaOnPremises) and prev(RouteAllMessagesViaOnPremises) !=\\\"\\\" , strcat(\\\"📍 \\\", RouteAllMessagesViaOnPremises, \\\" (\\\",prev(RouteAllMessagesViaOnPremises),\\\"->\\\", RouteAllMessagesViaOnPremises,\\\" )\\\"),RouteAllMessagesViaOnPremises)\\r\\n| extend AllAcceptedDomains = iff( Identity == prev(Identity) and AllAcceptedDomains != prev(AllAcceptedDomains) and prev(AllAcceptedDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", AllAcceptedDomains, \\\" (\\\",prev(AllAcceptedDomains),\\\"->\\\", AllAcceptedDomains,\\\" )\\\"),AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = iff( Identity == prev(Identity) and SenderRewritingEnabled != prev(SenderRewritingEnabled) and prev(SenderRewritingEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderRewritingEnabled, \\\" (\\\",prev(SenderRewritingEnabled),\\\"->\\\", SenderRewritingEnabled,\\\" )\\\"),SenderRewritingEnabled)\\r\\n| extend TestMode = iff( Identity == prev(Identity)and TestMode != prev(TestMode) and prev(TestMode) !=\\\"\\\" , strcat(\\\"📍 \\\", TestMode, \\\" (\\\",prev(TestMode),\\\"->\\\", TestMode,\\\" )\\\"),TestMode)\\r\\n| extend LinkForModifiedConnector = iff( Identity == prev(Identity) and LinkForModifiedConnector != prev(LinkForModifiedConnector) and prev(LinkForModifiedConnector) !=\\\"\\\" , strcat(\\\"📍 \\\", LinkForModifiedConnector, \\\" (\\\",prev(LinkForModifiedConnector),\\\"->\\\", LinkForModifiedConnector,\\\" )\\\"),LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = iff( Identity == prev(Identity) and ValidationRecipients != prev(ValidationRecipients) and prev(ValidationRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ValidationRecipients, \\\" (\\\",prev(ValidationRecipients),\\\"->\\\", ValidationRecipients,\\\" )\\\"),ValidationRecipients)\\r\\n| extend IsValidated = iff( Identity == prev(Identity) and IsValidated != prev(IsValidated) and prev(IsValidated) !=\\\"\\\" , strcat(\\\"📍 \\\", IsValidated, \\\" (\\\",prev(IsValidated),\\\"->\\\", IsValidated,\\\" )\\\"),IsValidated)\\r\\n| extend LastValidationTimestamp = iff( Identity == prev(Identity) and LastValidationTimestamp != prev(LastValidationTimestamp) and prev(LastValidationTimestamp) !=\\\"\\\" , strcat(\\\"📍 \\\", LastValidationTimestamp, \\\" (\\\",prev(LastValidationTimestamp),\\\"->\\\", LastValidationTimestamp,\\\" )\\\"),LastValidationTimestamp)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\"or CloudServicesMailEnabled contains \\\"📍\\\" or Comment contains \\\"📍\\\" or UseMXRecord contains \\\"📍\\\" or RecipientDomains contains \\\"📍\\\" or SmartHosts contains \\\"📍\\\" or TlsDomain contains \\\"📍\\\" or TlsSettings contains \\\"📍\\\" or IsTransportRuleScoped contains \\\"📍\\\" or RouteAllMessagesViaOnPremises contains \\\"📍\\\" or AllAcceptedDomains contains \\\"📍\\\" or SenderRewritingEnabled contains \\\"📍\\\" or TestMode contains \\\"📍\\\" or LinkForModifiedConnector contains \\\"📍\\\" or ValidationRecipients contains \\\"📍\\\" or IsValidated contains \\\"📍\\\" or LastValidationTimestamp contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n State,\\r\\n ConnectorType,\\r\\n ConnectorSource, \\r\\n CloudServicesMailEnabled,\\r\\n Comment,\\r\\n UseMXRecord,\\r\\n RecipientDomains,\\r\\n SmartHosts,\\r\\n TlsDomain,\\r\\n TlsSettings,\\r\\n IsTransportRuleScoped,\\r\\n RouteAllMessagesViaOnPremises,\\r\\n AllAcceptedDomains,\\r\\n SenderRewritingEnabled,\\r\\n TestMode,\\r\\n LinkForModifiedConnector,\\r\\n ValidationRecipients,\\r\\n IsValidated,\\r\\n LastValidationTimestamp,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- SentTo\\r\\n- CopyTo\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n| extend State = tostring(CmdletResultValue.State)\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n| extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":1,\"content\":{\"json\":\"** Due to lack of informaiton in Powershell, the Transport Rule compare section could display approximate information for Add and Modif. Especially, for the WhenCreated parameter.\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n | extend CmdletResultValue.RedirectMessageToString\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange =\\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"TransportRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| sort by Identity,TimeGenerated asc\\r\\n | extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend CmdletResultValue.RedirectMessageToString\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n | extend WhenChanged = todatetime(bin(WhenChanged,1m))\\r\\n | extend aa=prev(WhenCreated)\\r\\n | extend WhenCreated = iff( Identity == prev(Identity) and WhenChanged != prev(WhenChanged),aa ,WhenChanged)\\r\\n | extend WhenCreated =bin(WhenCreated,1m)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = inner (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,Mode,SetSCL,SenderIpRangesString,MessageTypeMatchesString,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData1 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffAddData2 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\"\\r\\n| distinct Identity;\\r\\nlet DiffAddData = DiffAddData1\\r\\n| join DiffAddData2 on Identity\\r\\n;\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenChanged,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo, SetSCL, SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend SentTo = iff( Identity == prev(Identity) and SentTo != prev(SentTo) and prev(SentTo) !=\\\"\\\" , strcat(\\\"📍 \\\", SentTo, \\\" (\\\",prev(SentTo),\\\"->\\\", SentTo,\\\" )\\\"),SentTo)\\r\\n| extend BlindCopyTo = iff( Identity == prev(Identity) and BlindCopyTo != prev(BlindCopyTo) and prev(BlindCopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", BlindCopyTo, \\\" (\\\",prev(BlindCopyTo),\\\"->\\\", BlindCopyTo,\\\" )\\\"),BlindCopyTo)\\r\\n| extend CopyTo = iff( Identity == prev(Identity) and CopyTo != prev(CopyTo) and prev(CopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", CopyTo, \\\" (\\\",prev(CopyTo),\\\"->\\\", CopyTo,\\\" )\\\"),CopyTo)\\r\\n| extend SetSCL = iff( Identity == prev(Identity)and SetSCL != prev(SetSCL) and prev(SetSCL) !=\\\"\\\" , strcat(\\\"📍 \\\", SetSCL, \\\" (\\\",prev(SetSCL),\\\"->\\\", SetSCL,\\\" )\\\"),SetSCL)\\r\\n| extend SenderIpRangesString = iff( Identity == prev(Identity)and SenderIpRangesString != prev(SenderIpRangesString) and prev(SenderIpRangesString) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIpRangesString, \\\" (\\\",prev(SenderIpRangesString),\\\"->\\\", SenderIpRangesString,\\\" )\\\"),SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = iff( Identity == prev(Identity)and MessageTypeMatchesString != prev(MessageTypeMatchesString) and prev(MessageTypeMatchesString) !=\\\"\\\" , strcat(\\\"📍 \\\", MessageTypeMatchesString, \\\" (\\\",prev(MessageTypeMatchesString),\\\"->\\\", MessageTypeMatchesString,\\\" )\\\"),MessageTypeMatchesString)\\r\\n| extend Mode = iff( Identity == prev(Identity)and Mode != prev(Mode) and prev(Mode) !=\\\"\\\" , strcat(\\\"📍 \\\", Mode, \\\" (\\\",prev(Mode),\\\"->\\\", Mode,\\\" )\\\"),Mode)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or SentTo contains \\\"📍\\\" or BlindCopyTo contains \\\"📍\\\" or CopyTo contains \\\"📍\\\" or SetSCL contains \\\"📍\\\" or SenderIpRangesString contains \\\"📍\\\" or MessageTypeMatchesString contains \\\"📍\\\" or Mode contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n SentTo,\\r\\n BlindCopyTo,\\r\\n CopyTo,\\r\\n RedirectMessageTo,\\r\\n SetSCL,\\r\\n SenderIpRangesString,\\r\\n MessageTypeMatchesString,\\r\\n Mode,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Policy : Autoforward configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is enabled, then automatic transfer are allowed.\\r\\nFor example: users in Outlook will be able set automatic transfer of all their emails to external addresses.\\r\\nThere are several methods to authorized automatic forward. \\r\\nPlease review this article : https://learn.microsoft.com/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide\\r\\n**In summary :**\\r\\n\\r\\n**Scenario 1 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Off.\\r\\n*Result :* \\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\n\\r\\n**Scenario 2 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Automatic - System-controlled.\\r\\n\\r\\n*Result :* \\r\\n\\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\nAs described earlier, Automatic - System-controlled used to mean On, but the setting has changed over time to mean Off in all organizations.\\r\\n\\r\\nFor absolute clarity, you should configure your outbound spam filter policy to On or Off.\\r\\n\\r\\n**Scenario 3 :**\\r\\n\\r\\nAutomatic forwarding in the outbound spam filter policy is set to On\\r\\nYou use mail flow rules or remote domains to block automatically forwarded email\\r\\n\\r\\n*Result : *\\r\\n\\r\\nAutomatically forwarded messages to affected recipients are blocked by mail flow rules or remote domains.\\r\\n****\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n| join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n| extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n| extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n| extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n| extend AutoForwardingMode= iff (CmdletResultValue.AutoForwardingMode == \\\"On\\\" , strcat (\\\"❌ \\\", tostring(CmdletResultValue.AutoForwardingMode)), tostring(CmdletResultValue.AutoForwardingMode))\\r\\n| extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n| extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n| extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n| extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n| extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n| extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n| extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n| extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n| extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n| project Identity,IsDefault,Enabled,AutoForwardingMode,OutboundSpamFilterRule,BccSuspiciousOutboundAdditionalRecipients,BccSuspiciousOutboundMail,NotifyOutboundSpam,NotifyOutboundSpamRecipient,WhenChanged,WhenCreated\\r\\n| sort by Identity asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"OutboundPol - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend Identity = tostring(Identity)\\r\\n | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend Identity = tostring(Identity)\\r\\n | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRangeOSFR = ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"HostedOutboundSpamFilterRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n | extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n | project Identity, HostedOutboundSpamFilterPolicy;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"HostedOutboundSpamFilterPolicy\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n | project\\r\\n TimeGenerated,\\r\\n Identity,\\r\\n CmdletResultValue,\\r\\n WhenChanged = todatetime(bin(WhenChanged_t,1m)),\\r\\n WhenCreated=todatetime(bin(WhenCreated_t,1m))\\r\\n | join kind=fullouter allDataRangeOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData\\r\\n | where WhenCreated >= _DateCompareB)\\r\\n on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange) on WhenCreated\\r\\n | where WhenCreated >= _DateCompareB\\r\\n | where bin(WhenCreated, 5m) == bin(WhenChanged, 5m)\\r\\n | distinct\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffAddData = union DiffAddDataP1, DiffAddDataP2\\r\\n | extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n | project\\r\\n WhenChanged=_CurrentDateB,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated\\r\\n;\\r\\nlet DiffModifData = union AfterData, allDataRange\\r\\n | sort by Identity, WhenChanged asc\\r\\n | project\\r\\n WhenChanged,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n | extend Identity = iff(Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) != \\\"\\\", strcat(\\\"📍 \\\", Identity, \\\" (\\\", prev(Identity), \\\"->\\\", Identity, \\\" )\\\"), Identity)\\r\\n | extend IsDefault = iff(Identity == prev(Identity) and IsDefault != prev(IsDefault) and prev(IsDefault) != \\\"\\\", strcat(\\\"📍 \\\", IsDefault, \\\" (\\\", prev(IsDefault), \\\"->\\\", IsDefault, \\\" )\\\"), IsDefault)\\r\\n | extend Enabled = iff(Identity == prev(Identity) and Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\", strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n | extend AutoForwardingMode = iff(Identity == prev(Identity) and AutoForwardingMode != prev(AutoForwardingMode) and prev(AutoForwardingMode) != \\\"\\\", strcat(\\\"📍 \\\", AutoForwardingMode, \\\" (\\\", prev(AutoForwardingMode), \\\"->\\\", AutoForwardingMode, \\\" )\\\"), AutoForwardingMode)\\r\\n | extend OutboundSpamFilterRule = iff(Identity == prev(Identity) and OutboundSpamFilterRule != prev(OutboundSpamFilterRule) and prev(OutboundSpamFilterRule) != \\\"\\\", strcat(\\\"📍 \\\", OutboundSpamFilterRule, \\\" (\\\", prev(OutboundSpamFilterRule), \\\"->\\\", OutboundSpamFilterRule, \\\" )\\\"), OutboundSpamFilterRule)\\r\\n | extend RecommendedPolicyType = iff(Identity == prev(Identity) and RecommendedPolicyType != prev(RecommendedPolicyType) and prev(RecommendedPolicyType) != \\\"\\\", strcat(\\\"📍 \\\", RecommendedPolicyType, \\\" (\\\", prev(RecommendedPolicyType), \\\"->\\\", RecommendedPolicyType, \\\" )\\\"), RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = iff(Identity == prev(Identity) and RecipientLimitExternalPerHour != prev(RecipientLimitExternalPerHour) and prev(RecipientLimitExternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitExternalPerHour, \\\" (\\\", prev(RecipientLimitExternalPerHour), \\\"->\\\", RecipientLimitExternalPerHour, \\\" )\\\"), RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = iff(Identity == prev(Identity) and RecipientLimitInternalPerHour != prev(RecipientLimitInternalPerHour) and prev(RecipientLimitInternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitInternalPerHour, \\\" (\\\", prev(RecipientLimitInternalPerHour), \\\"->\\\", RecipientLimitInternalPerHour, \\\" )\\\"), RecipientLimitInternalPerHour)\\r\\n | extend ActionWhenThresholdReached = iff(Identity == prev(Identity) and ActionWhenThresholdReached != prev(ActionWhenThresholdReached) and prev(ActionWhenThresholdReached) != \\\"\\\", strcat(\\\"📍 \\\", ActionWhenThresholdReached, \\\" (\\\", prev(ActionWhenThresholdReached), \\\"->\\\", ActionWhenThresholdReached, \\\" )\\\"), ActionWhenThresholdReached)\\r\\n | extend RecipientLimitPerDay = iff(Identity == prev(Identity) and RecipientLimitPerDay != prev(RecipientLimitPerDay) and prev(RecipientLimitPerDay) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitPerDay, \\\" (\\\", prev(RecipientLimitPerDay), \\\"->\\\", RecipientLimitPerDay, \\\" )\\\"), RecipientLimitPerDay)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients = iff(Identity == prev(Identity) and BccSuspiciousOutboundAdditionalRecipients != prev(BccSuspiciousOutboundAdditionalRecipients) and prev(BccSuspiciousOutboundAdditionalRecipients) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundAdditionalRecipients, \\\" (\\\", prev(BccSuspiciousOutboundAdditionalRecipients), \\\"->\\\", BccSuspiciousOutboundAdditionalRecipients, \\\" )\\\"), BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = iff(Identity == prev(Identity) and BccSuspiciousOutboundMail != prev(BccSuspiciousOutboundMail) and prev(BccSuspiciousOutboundMail) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundMail, \\\" (\\\", prev(BccSuspiciousOutboundMail), \\\"->\\\", BccSuspiciousOutboundMail, \\\" )\\\"), BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam = iff(Identity == prev(Identity) and NotifyOutboundSpam != prev(NotifyOutboundSpam) and prev(NotifyOutboundSpam) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpam, \\\" (\\\", prev(NotifyOutboundSpam), \\\"->\\\", NotifyOutboundSpam, \\\" )\\\"), NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = iff(Identity == prev(Identity) and NotifyOutboundSpamRecipient != prev(NotifyOutboundSpamRecipient) and prev(NotifyOutboundSpamRecipient) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpamRecipient, \\\" (\\\", prev(NotifyOutboundSpamRecipient), \\\"->\\\", NotifyOutboundSpamRecipient, \\\" )\\\"), NotifyOutboundSpamRecipient)\\r\\n | extend ActiontypeR =iff((Identity contains \\\"📍\\\" or IsDefault contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or OutboundSpamFilterRule contains \\\"📍\\\" or AutoForwardingMode contains \\\"📍\\\" or BccSuspiciousOutboundAdditionalRecipients contains \\\"📍\\\" or BccSuspiciousOutboundMail contains \\\"📍\\\" or NotifyOutboundSpam contains \\\"📍\\\" or NotifyOutboundSpamRecipient contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain and the Outbound Policy is set to On then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName)\\r\\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName == \\\"*\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName != \\\"*\\\", strcat (\\\"⚠️ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅ \\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ForwardGroup\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n \\t | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"RemoteDomain\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,DomainName,AutoForwardEnabled,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend DomainName = iff( Identity == prev(Identity) and DomainName != prev(DomainName) and prev(DomainName) !=\\\"\\\" , strcat(\\\"📍 \\\", DomainName, \\\" (\\\",prev(DomainName),\\\"->\\\", DomainName,\\\" )\\\"),DomainName)\\r\\n| extend AutoForwardEnabled = iff( Identity == prev(Identity) and AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", AutoForwardEnabled, \\\" (\\\",prev(AutoForwardEnabled),\\\"->\\\", AutoForwardEnabled,\\\" )\\\"),AutoForwardEnabled)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or DomainName contains \\\"📍\\\" or AutoForwardEnabled contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n DomainName,\\r\\n AutoForwardEnabled,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review Online\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"181fa282-a002-42f1-ad57-dfb86df3194e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Compare_Collect\",\"type\":10,\"description\":\"If this button is checked, two collections will be compared\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a9e0099e-5eb1-43b8-915c-587aa05bccf0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateCompare\",\"type\":2,\"description\":\"Date to Comapre\",\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nAdjust the time range, and when needed select an item in the dropdownlist\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"EXO & Azure AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":1,\"content\":{\"json\":\"To compare collects, select **Yes** and choose the initial date.\\r\\nFor each role, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\\r\\n\\r\\n**Important notes** : Some information are limited are may be not 100% accurate :\\r\\n - Date\\r\\n - GUID of user instead of the name\\r\\n - Fusion of modifications when a role assisgnment is changed within the same collect \\r\\n - ... \\r\\n\\r\\nThis is due to some restrictions in the collect. For more details information, please check the workbook **\\\"Microsoft Exchange Search AdminAuditLog - Online\\\"**\\r\\n.\\r\\n\\r\\nThe compare functionnality is not available for all sections in this workbook.\\r\\n\"},\"name\":\"text - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange on-premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Display important security configurations that allow to access mailboxes' content. Direct delegations on mailboxes are not listed (Full Access permission mailboxes or direct delegations on mailboxes folders)\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !contains \\\"Deleg\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| where CmdletResultValue.Role contains \\\"Export\\\" or CmdletResultValue.Role contains \\\"Impersonation\\\" or CmdletResultValue.Role contains \\\"Search\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role)\",\"size\":3,\"title\":\"Number of accounts with sensitive RBAC roles\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes. This role is very powerfull and should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\nIt is common to see service accounts for backup solution, antivirus software, MDM...\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SensitiveRBACHelp\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to access and modify the content of every mailboxes using EWS.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"Impersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Impersonation\\\")\",\"size\":3,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to import contents in all mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export** is an RBAC role that allows an account to import (export is not available online) contant in a user mailbox. It also allows searches in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- create an empty group with this delegation\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"export\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"export\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to search inside all or in a scope of mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\nDiscovery Management has been excluded\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- add the administrators in the Discovery Management group\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"search\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"Group\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"Search\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Search Role\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange Group\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required pernissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n - TenantAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n - Organization Management\\r\\n - ExchangeServiceAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n - Discovery Management\\r\\n - Hygiene Management\\r\\n - Security Administrator (Membership in this role group is synchronized across services and managed centrally)\\r\\n - xxx High privilege group (not an exhaustive list)\\r\\n - Compliance Management\\r\\n - All RBAC groups that have high roles delegation\\r\\n - All nested groups in high privileges groups\\r\\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\" Number of direct members per group with RecipientType User\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n//| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| where RoleGroup has_any (\\\"TenantAdmins\\\",\\\"Organization Management\\\", \\\"Discovery Management\\\", \\\"Compliance Management\\\", \\\"Server Management\\\", \\\"ExchangeServiceAdmins\\\",\\\"Security Administrator\\\", \\\"SecurityAdmins\\\", \\\"Recipient Manangement\\\", \\\"Records Manangement\\\",\\\"Impersonation\\\",\\\"Export\\\")\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Number of direct members per group with RecipientType User\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList - Copy\"},{\"type\":1,\"content\":{\"json\":\"Exchange Online groups content.\\r\\nSelect a group to display detailed information of its contents.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Name)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\nExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.RoleGroup == \\\"{Group}\\\"\\r\\n//| where CmdletResultValue.Level != 0\\r\\n| project CmdletResultValue\\r\\n| extend Members = tostring(CmdletResultValue.Identity)\\r\\n//| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n//| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n//| extend Level = tostring(CmdletResultValue.Level)\\r\\n//| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n//| extend LastLogon = CmdletResultValue.LastLogonString\\r\\n//| extend LastLogon = iif ( todatetime (CmdletResultValue.LastLogonString) < ago(-366d), CmdletResultValue.LastLogonString,strcat(\\\"💥\\\",CmdletResultValue.LastLogonString))\\r\\n//| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend Members = case( CmdletResultValue.RecipientType == \\\"Group\\\", strcat( \\\"👪 \\\", Members), strcat( \\\"🧑🦰 \\\", Members) )\\r\\n| extend RecipientType = tostring(CmdletResultValue.RecipientType)\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Exchange group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Inbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Inbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"InBoundC\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend SenderIPAddresses = iff( Identity == prev(Identity) and SenderIPAddresses != prev(SenderIPAddresses) and prev(SenderIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIPAddresses, \\\" (\\\",prev(SenderIPAddresses),\\\"->\\\", SenderIPAddresses,\\\" )\\\"),SenderIPAddresses)\\r\\n| extend SenderDomains = iff( Identity == prev(Identity) and SenderDomains != prev(SenderDomains) and prev(SenderDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderDomains, \\\" (\\\",prev(SenderDomains),\\\"->\\\", SenderDomains,\\\" )\\\"),SenderDomains)\\r\\n| extend TrustedOrganizations = iff( Identity == prev(Identity) and TrustedOrganizations != prev(TrustedOrganizations) and prev(TrustedOrganizations) !=\\\"\\\" , strcat(\\\"📍 \\\", TrustedOrganizations, \\\" (\\\",prev(TrustedOrganizations),\\\"->\\\", TrustedOrganizations,\\\" )\\\"),TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = iff (Identity == prev(Identity) and AssociatedAcceptedDomainsRequireTls != prev(AssociatedAcceptedDomainsRequireTls) and prev(AssociatedAcceptedDomainsRequireTls) !=\\\"\\\" , strcat(\\\"📍 \\\", AssociatedAcceptedDomainsRequireTls, \\\" (\\\",prev(AssociatedAcceptedDomainsRequireTls),\\\"->\\\", AssociatedAcceptedDomainsRequireTls,\\\" )\\\"),AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = iff(Identity == prev(Identity) and RestrictDomainsToIPAddresses != prev(RestrictDomainsToIPAddresses) and prev(RestrictDomainsToIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToIPAddresses, \\\" (\\\",prev(RestrictDomainsToIPAddresses),\\\"->\\\", RestrictDomainsToIPAddresses,\\\" )\\\"),RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = iff( Identity == prev(Identity) and RestrictDomainsToCertificate != prev(RestrictDomainsToCertificate) and prev(RestrictDomainsToCertificate) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToCertificate, \\\" (\\\",prev(RestrictDomainsToCertificate),\\\"->\\\", RestrictDomainsToCertificate,\\\" )\\\"),RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = iff( Identity == prev(Identity) and TreatMessagesAsInternal != prev(TreatMessagesAsInternal) and prev(TreatMessagesAsInternal) !=\\\"\\\" , strcat(\\\"📍 \\\", TreatMessagesAsInternal, \\\" (\\\",prev(TreatMessagesAsInternal),\\\"->\\\", TreatMessagesAsInternal,\\\" )\\\"),TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = iff(Identity == prev(Identity) and TlsSenderCertificateName != prev(TlsSenderCertificateName) and prev(TlsSenderCertificateName) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsSenderCertificateName, \\\" (\\\",prev(TlsSenderCertificateName),\\\"->\\\", TlsSenderCertificateName,\\\" )\\\"),TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = iff( Identity == prev(Identity) and ScanAndDropRecipients != prev(ScanAndDropRecipients) and prev(ScanAndDropRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ScanAndDropRecipients, \\\" (\\\",prev(ScanAndDropRecipients),\\\"->\\\", ScanAndDropRecipients,\\\" )\\\"),ScanAndDropRecipients)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\" or SenderIPAddresses contains \\\"📍\\\" or SenderDomains contains \\\"📍\\\" or TrustedOrganizations contains \\\"📍\\\" or AssociatedAcceptedDomainsRequireTls contains \\\"📍\\\" or RestrictDomainsToIPAddresses contains \\\"📍\\\" or RestrictDomainsToCertificate contains \\\"📍\\\" or CloudServicesMailEnabled contains \\\"📍\\\" or TreatMessagesAsInternal contains \\\"📍\\\" or TlsSenderCertificateName contains \\\"📍\\\" or ScanAndDropRecipients contains \\\"📍\\\" or Comment contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n State,\\r\\n ConnectorType,\\r\\n ConnectorSource,\\r\\n Comment,\\r\\n SenderIPAddresses,\\r\\n SenderDomains,\\r\\n TrustedOrganizations,\\r\\n AssociatedAcceptedDomainsRequireTls,\\r\\n RestrictDomainsToIPAddresses,\\r\\n RestrictDomainsToCertificate,\\r\\n CloudServicesMailEnabled,\\r\\n TreatMessagesAsInternal,\\r\\n TlsSenderCertificateName,\\r\\n ScanAndDropRecipients,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Inbound Connector configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Outbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n| extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n| extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n| extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n| extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n| extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n| extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n| extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n| extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Outbound Connector configuration - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"OutBoundC\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend Comment = iff( Comment == prev(Comment) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend RecipientDomains = iff( Identity == prev(Identity) and RecipientDomains != prev(RecipientDomains) and prev(RecipientDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", RecipientDomains, \\\" (\\\",prev(RecipientDomains),\\\"->\\\", RecipientDomains,\\\" )\\\"),RecipientDomains)\\r\\n| extend SmartHosts = iff( Identity == prev(Identity) and SmartHosts != prev(SmartHosts) and prev(SmartHosts) !=\\\"\\\" , strcat(\\\"📍 \\\", SmartHosts, \\\" (\\\",prev(SmartHosts),\\\"->\\\", SmartHosts,\\\" )\\\"),SmartHosts)\\r\\n| extend TlsDomain = iff( Identity == prev(Identity) and TlsDomain != prev(TlsDomain) and prev(TlsDomain) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsDomain, \\\" (\\\",prev(TlsDomain),\\\"->\\\", TlsDomain,\\\" )\\\"),TlsDomain)\\r\\n| extend IsTransportRuleScoped = iff( Identity == prev(Identity) and IsTransportRuleScoped != prev(IsTransportRuleScoped) and prev(IsTransportRuleScoped) !=\\\"\\\" , strcat(\\\"📍 \\\", IsTransportRuleScoped, \\\" (\\\",prev(IsTransportRuleScoped),\\\"->\\\", IsTransportRuleScoped,\\\" )\\\"),IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = iff( Identity == prev(Identity) and RouteAllMessagesViaOnPremises != prev(RouteAllMessagesViaOnPremises) and prev(RouteAllMessagesViaOnPremises) !=\\\"\\\" , strcat(\\\"📍 \\\", RouteAllMessagesViaOnPremises, \\\" (\\\",prev(RouteAllMessagesViaOnPremises),\\\"->\\\", RouteAllMessagesViaOnPremises,\\\" )\\\"),RouteAllMessagesViaOnPremises)\\r\\n| extend AllAcceptedDomains = iff( Identity == prev(Identity) and AllAcceptedDomains != prev(AllAcceptedDomains) and prev(AllAcceptedDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", AllAcceptedDomains, \\\" (\\\",prev(AllAcceptedDomains),\\\"->\\\", AllAcceptedDomains,\\\" )\\\"),AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = iff( Identity == prev(Identity) and SenderRewritingEnabled != prev(SenderRewritingEnabled) and prev(SenderRewritingEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderRewritingEnabled, \\\" (\\\",prev(SenderRewritingEnabled),\\\"->\\\", SenderRewritingEnabled,\\\" )\\\"),SenderRewritingEnabled)\\r\\n| extend TestMode = iff( Identity == prev(Identity)and TestMode != prev(TestMode) and prev(TestMode) !=\\\"\\\" , strcat(\\\"📍 \\\", TestMode, \\\" (\\\",prev(TestMode),\\\"->\\\", TestMode,\\\" )\\\"),TestMode)\\r\\n| extend LinkForModifiedConnector = iff( Identity == prev(Identity) and LinkForModifiedConnector != prev(LinkForModifiedConnector) and prev(LinkForModifiedConnector) !=\\\"\\\" , strcat(\\\"📍 \\\", LinkForModifiedConnector, \\\" (\\\",prev(LinkForModifiedConnector),\\\"->\\\", LinkForModifiedConnector,\\\" )\\\"),LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = iff( Identity == prev(Identity) and ValidationRecipients != prev(ValidationRecipients) and prev(ValidationRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ValidationRecipients, \\\" (\\\",prev(ValidationRecipients),\\\"->\\\", ValidationRecipients,\\\" )\\\"),ValidationRecipients)\\r\\n| extend IsValidated = iff( Identity == prev(Identity) and IsValidated != prev(IsValidated) and prev(IsValidated) !=\\\"\\\" , strcat(\\\"📍 \\\", IsValidated, \\\" (\\\",prev(IsValidated),\\\"->\\\", IsValidated,\\\" )\\\"),IsValidated)\\r\\n| extend LastValidationTimestamp = iff( Identity == prev(Identity) and LastValidationTimestamp != prev(LastValidationTimestamp) and prev(LastValidationTimestamp) !=\\\"\\\" , strcat(\\\"📍 \\\", LastValidationTimestamp, \\\" (\\\",prev(LastValidationTimestamp),\\\"->\\\", LastValidationTimestamp,\\\" )\\\"),LastValidationTimestamp)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\"or CloudServicesMailEnabled contains \\\"📍\\\" or Comment contains \\\"📍\\\" or UseMXRecord contains \\\"📍\\\" or RecipientDomains contains \\\"📍\\\" or SmartHosts contains \\\"📍\\\" or TlsDomain contains \\\"📍\\\" or TlsSettings contains \\\"📍\\\" or IsTransportRuleScoped contains \\\"📍\\\" or RouteAllMessagesViaOnPremises contains \\\"📍\\\" or AllAcceptedDomains contains \\\"📍\\\" or SenderRewritingEnabled contains \\\"📍\\\" or TestMode contains \\\"📍\\\" or LinkForModifiedConnector contains \\\"📍\\\" or ValidationRecipients contains \\\"📍\\\" or IsValidated contains \\\"📍\\\" or LastValidationTimestamp contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n State,\\r\\n ConnectorType,\\r\\n ConnectorSource, \\r\\n CloudServicesMailEnabled,\\r\\n Comment,\\r\\n UseMXRecord,\\r\\n RecipientDomains,\\r\\n SmartHosts,\\r\\n TlsDomain,\\r\\n TlsSettings,\\r\\n IsTransportRuleScoped,\\r\\n RouteAllMessagesViaOnPremises,\\r\\n AllAcceptedDomains,\\r\\n SenderRewritingEnabled,\\r\\n TestMode,\\r\\n LinkForModifiedConnector,\\r\\n ValidationRecipients,\\r\\n IsValidated,\\r\\n LastValidationTimestamp,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- SentTo\\r\\n- CopyTo\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n| extend State = tostring(CmdletResultValue.State)\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n| extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":1,\"content\":{\"json\":\"** Due to lack of informaiton in Powershell, the Transport Rule compare section could display approximate information for Add and Modif. Especially, for the WhenCreated parameter.\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n | extend CmdletResultValue.RedirectMessageToString\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange =\\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"TransportRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| sort by Identity,TimeGenerated asc\\r\\n | extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend CmdletResultValue.RedirectMessageToString\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n | extend WhenChanged = todatetime(bin(WhenChanged,1m))\\r\\n | extend aa=prev(WhenCreated)\\r\\n | extend WhenCreated = iff( Identity == prev(Identity) and WhenChanged != prev(WhenChanged),aa ,WhenChanged)\\r\\n | extend WhenCreated =bin(WhenCreated,1m)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = inner (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,Mode,SetSCL,SenderIpRangesString,MessageTypeMatchesString,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData1 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffAddData2 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\"\\r\\n| distinct Identity;\\r\\nlet DiffAddData = DiffAddData1\\r\\n| join DiffAddData2 on Identity\\r\\n;\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenChanged,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo, SetSCL, SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend SentTo = iff( Identity == prev(Identity) and SentTo != prev(SentTo) and prev(SentTo) !=\\\"\\\" , strcat(\\\"📍 \\\", SentTo, \\\" (\\\",prev(SentTo),\\\"->\\\", SentTo,\\\" )\\\"),SentTo)\\r\\n| extend BlindCopyTo = iff( Identity == prev(Identity) and BlindCopyTo != prev(BlindCopyTo) and prev(BlindCopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", BlindCopyTo, \\\" (\\\",prev(BlindCopyTo),\\\"->\\\", BlindCopyTo,\\\" )\\\"),BlindCopyTo)\\r\\n| extend CopyTo = iff( Identity == prev(Identity) and CopyTo != prev(CopyTo) and prev(CopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", CopyTo, \\\" (\\\",prev(CopyTo),\\\"->\\\", CopyTo,\\\" )\\\"),CopyTo)\\r\\n| extend SetSCL = iff( Identity == prev(Identity)and SetSCL != prev(SetSCL) and prev(SetSCL) !=\\\"\\\" , strcat(\\\"📍 \\\", SetSCL, \\\" (\\\",prev(SetSCL),\\\"->\\\", SetSCL,\\\" )\\\"),SetSCL)\\r\\n| extend SenderIpRangesString = iff( Identity == prev(Identity)and SenderIpRangesString != prev(SenderIpRangesString) and prev(SenderIpRangesString) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIpRangesString, \\\" (\\\",prev(SenderIpRangesString),\\\"->\\\", SenderIpRangesString,\\\" )\\\"),SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = iff( Identity == prev(Identity)and MessageTypeMatchesString != prev(MessageTypeMatchesString) and prev(MessageTypeMatchesString) !=\\\"\\\" , strcat(\\\"📍 \\\", MessageTypeMatchesString, \\\" (\\\",prev(MessageTypeMatchesString),\\\"->\\\", MessageTypeMatchesString,\\\" )\\\"),MessageTypeMatchesString)\\r\\n| extend Mode = iff( Identity == prev(Identity)and Mode != prev(Mode) and prev(Mode) !=\\\"\\\" , strcat(\\\"📍 \\\", Mode, \\\" (\\\",prev(Mode),\\\"->\\\", Mode,\\\" )\\\"),Mode)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or SentTo contains \\\"📍\\\" or BlindCopyTo contains \\\"📍\\\" or CopyTo contains \\\"📍\\\" or SetSCL contains \\\"📍\\\" or SenderIpRangesString contains \\\"📍\\\" or MessageTypeMatchesString contains \\\"📍\\\" or Mode contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n SentTo,\\r\\n BlindCopyTo,\\r\\n CopyTo,\\r\\n RedirectMessageTo,\\r\\n SetSCL,\\r\\n SenderIpRangesString,\\r\\n MessageTypeMatchesString,\\r\\n Mode,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Policy : Autoforward configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is enabled, then automatic transfer are allowed.\\r\\nFor example: users in Outlook will be able set automatic transfer of all their emails to external addresses.\\r\\nThere are several methods to authorized automatic forward. \\r\\nPlease review this article : https://learn.microsoft.com/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide\\r\\n**In summary :**\\r\\n\\r\\n**Scenario 1 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Off.\\r\\n*Result :* \\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\n\\r\\n**Scenario 2 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Automatic - System-controlled.\\r\\n\\r\\n*Result :* \\r\\n\\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\nAs described earlier, Automatic - System-controlled used to mean On, but the setting has changed over time to mean Off in all organizations.\\r\\n\\r\\nFor absolute clarity, you should configure your outbound spam filter policy to On or Off.\\r\\n\\r\\n**Scenario 3 :**\\r\\n\\r\\nAutomatic forwarding in the outbound spam filter policy is set to On\\r\\nYou use mail flow rules or remote domains to block automatically forwarded email\\r\\n\\r\\n*Result : *\\r\\n\\r\\nAutomatically forwarded messages to affected recipients are blocked by mail flow rules or remote domains.\\r\\n****\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n| join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n| extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n| extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n| extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n| extend AutoForwardingMode= iff (CmdletResultValue.AutoForwardingMode == \\\"On\\\" , strcat (\\\"❌ \\\", tostring(CmdletResultValue.AutoForwardingMode)), tostring(CmdletResultValue.AutoForwardingMode))\\r\\n| extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n| extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n| extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n| extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n| extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n| extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n| extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n| extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n| extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n| project Identity,IsDefault,Enabled,AutoForwardingMode,OutboundSpamFilterRule,BccSuspiciousOutboundAdditionalRecipients,BccSuspiciousOutboundMail,NotifyOutboundSpam,NotifyOutboundSpamRecipient,WhenChanged,WhenCreated\\r\\n| sort by Identity asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"OutboundPol - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend Identity = tostring(Identity)\\r\\n | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend Identity = tostring(Identity)\\r\\n | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRangeOSFR = ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"HostedOutboundSpamFilterRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n | extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n | project Identity, HostedOutboundSpamFilterPolicy;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"HostedOutboundSpamFilterPolicy\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n | project\\r\\n TimeGenerated,\\r\\n Identity,\\r\\n CmdletResultValue,\\r\\n WhenChanged = todatetime(bin(WhenChanged_t,1m)),\\r\\n WhenCreated=todatetime(bin(WhenCreated_t,1m))\\r\\n | join kind=fullouter allDataRangeOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData\\r\\n | where WhenCreated >= _DateCompareB)\\r\\n on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange) on WhenCreated\\r\\n | where WhenCreated >= _DateCompareB\\r\\n | where bin(WhenCreated, 5m) == bin(WhenChanged, 5m)\\r\\n | distinct\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffAddData = union DiffAddDataP1, DiffAddDataP2\\r\\n | extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n | project\\r\\n WhenChanged=_CurrentDateB,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated\\r\\n;\\r\\nlet DiffModifData = union AfterData, allDataRange\\r\\n | sort by Identity, WhenChanged asc\\r\\n | project\\r\\n WhenChanged,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n | extend Identity = iff(Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) != \\\"\\\", strcat(\\\"📍 \\\", Identity, \\\" (\\\", prev(Identity), \\\"->\\\", Identity, \\\" )\\\"), Identity)\\r\\n | extend IsDefault = iff(Identity == prev(Identity) and IsDefault != prev(IsDefault) and prev(IsDefault) != \\\"\\\", strcat(\\\"📍 \\\", IsDefault, \\\" (\\\", prev(IsDefault), \\\"->\\\", IsDefault, \\\" )\\\"), IsDefault)\\r\\n | extend Enabled = iff(Identity == prev(Identity) and Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\", strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n | extend AutoForwardingMode = iff(Identity == prev(Identity) and AutoForwardingMode != prev(AutoForwardingMode) and prev(AutoForwardingMode) != \\\"\\\", strcat(\\\"📍 \\\", AutoForwardingMode, \\\" (\\\", prev(AutoForwardingMode), \\\"->\\\", AutoForwardingMode, \\\" )\\\"), AutoForwardingMode)\\r\\n | extend OutboundSpamFilterRule = iff(Identity == prev(Identity) and OutboundSpamFilterRule != prev(OutboundSpamFilterRule) and prev(OutboundSpamFilterRule) != \\\"\\\", strcat(\\\"📍 \\\", OutboundSpamFilterRule, \\\" (\\\", prev(OutboundSpamFilterRule), \\\"->\\\", OutboundSpamFilterRule, \\\" )\\\"), OutboundSpamFilterRule)\\r\\n | extend RecommendedPolicyType = iff(Identity == prev(Identity) and RecommendedPolicyType != prev(RecommendedPolicyType) and prev(RecommendedPolicyType) != \\\"\\\", strcat(\\\"📍 \\\", RecommendedPolicyType, \\\" (\\\", prev(RecommendedPolicyType), \\\"->\\\", RecommendedPolicyType, \\\" )\\\"), RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = iff(Identity == prev(Identity) and RecipientLimitExternalPerHour != prev(RecipientLimitExternalPerHour) and prev(RecipientLimitExternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitExternalPerHour, \\\" (\\\", prev(RecipientLimitExternalPerHour), \\\"->\\\", RecipientLimitExternalPerHour, \\\" )\\\"), RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = iff(Identity == prev(Identity) and RecipientLimitInternalPerHour != prev(RecipientLimitInternalPerHour) and prev(RecipientLimitInternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitInternalPerHour, \\\" (\\\", prev(RecipientLimitInternalPerHour), \\\"->\\\", RecipientLimitInternalPerHour, \\\" )\\\"), RecipientLimitInternalPerHour)\\r\\n | extend ActionWhenThresholdReached = iff(Identity == prev(Identity) and ActionWhenThresholdReached != prev(ActionWhenThresholdReached) and prev(ActionWhenThresholdReached) != \\\"\\\", strcat(\\\"📍 \\\", ActionWhenThresholdReached, \\\" (\\\", prev(ActionWhenThresholdReached), \\\"->\\\", ActionWhenThresholdReached, \\\" )\\\"), ActionWhenThresholdReached)\\r\\n | extend RecipientLimitPerDay = iff(Identity == prev(Identity) and RecipientLimitPerDay != prev(RecipientLimitPerDay) and prev(RecipientLimitPerDay) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitPerDay, \\\" (\\\", prev(RecipientLimitPerDay), \\\"->\\\", RecipientLimitPerDay, \\\" )\\\"), RecipientLimitPerDay)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients = iff(Identity == prev(Identity) and BccSuspiciousOutboundAdditionalRecipients != prev(BccSuspiciousOutboundAdditionalRecipients) and prev(BccSuspiciousOutboundAdditionalRecipients) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundAdditionalRecipients, \\\" (\\\", prev(BccSuspiciousOutboundAdditionalRecipients), \\\"->\\\", BccSuspiciousOutboundAdditionalRecipients, \\\" )\\\"), BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = iff(Identity == prev(Identity) and BccSuspiciousOutboundMail != prev(BccSuspiciousOutboundMail) and prev(BccSuspiciousOutboundMail) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundMail, \\\" (\\\", prev(BccSuspiciousOutboundMail), \\\"->\\\", BccSuspiciousOutboundMail, \\\" )\\\"), BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam = iff(Identity == prev(Identity) and NotifyOutboundSpam != prev(NotifyOutboundSpam) and prev(NotifyOutboundSpam) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpam, \\\" (\\\", prev(NotifyOutboundSpam), \\\"->\\\", NotifyOutboundSpam, \\\" )\\\"), NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = iff(Identity == prev(Identity) and NotifyOutboundSpamRecipient != prev(NotifyOutboundSpamRecipient) and prev(NotifyOutboundSpamRecipient) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpamRecipient, \\\" (\\\", prev(NotifyOutboundSpamRecipient), \\\"->\\\", NotifyOutboundSpamRecipient, \\\" )\\\"), NotifyOutboundSpamRecipient)\\r\\n | extend ActiontypeR =iff((Identity contains \\\"📍\\\" or IsDefault contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or OutboundSpamFilterRule contains \\\"📍\\\" or AutoForwardingMode contains \\\"📍\\\" or BccSuspiciousOutboundAdditionalRecipients contains \\\"📍\\\" or BccSuspiciousOutboundMail contains \\\"📍\\\" or NotifyOutboundSpam contains \\\"📍\\\" or NotifyOutboundSpamRecipient contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain and the Outbound Policy is set to On then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName)\\r\\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName == \\\"*\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName != \\\"*\\\", strcat (\\\"⚠️ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅ \\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ForwardGroup\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n \\t | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"RemoteDomain\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,DomainName,AutoForwardEnabled,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend DomainName = iff( Identity == prev(Identity) and DomainName != prev(DomainName) and prev(DomainName) !=\\\"\\\" , strcat(\\\"📍 \\\", DomainName, \\\" (\\\",prev(DomainName),\\\"->\\\", DomainName,\\\" )\\\"),DomainName)\\r\\n| extend AutoForwardEnabled = iff( Identity == prev(Identity) and AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", AutoForwardEnabled, \\\" (\\\",prev(AutoForwardEnabled),\\\"->\\\", AutoForwardEnabled,\\\" )\\\"),AutoForwardEnabled)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or DomainName contains \\\"📍\\\" or AutoForwardEnabled contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n DomainName,\\r\\n AutoForwardEnabled,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -1698,7 +1561,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Exchange Admin Activity - Online Workbook with template version 3.1.5",
+ "description": "Microsoft Exchange Admin Activity - Online Workbook with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion3')]",
@@ -1716,7 +1579,7 @@
},
"properties": {
"displayName": "[parameters('workbook3-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Admin Activity\\r\\n\\r\\nThis workbook helps you visualize what is happening in your Exchange environment.\\r\\nResults removed :\\r\\n\\t- All Test-* and Set-AdServerSetting Cmdlets\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3792117c-d924-4ec7-a327-1e8d5e9f291a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":14400000}},{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n| summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlet Analysis\",\"subTarget\":\"Cmdlet\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Cmdlet summary\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab parses the events from OfficeActivity logs :\\r\\n\\r\\n- list of cmdlets\\r\\n- filter on a VIP and/or Sensitive objects (based on Watchlist \\\"Exchange VIP\\\" and \\\" Monitored Exchange Cmdlets\\\")\\r\\n- anomalies detections are based on the KQL function series_decompose_anomalies\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdletGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5a942eba-c991-4b84-9a94-c153bca86e12\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VIPOnly\",\"label\":\"Show VIP Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"83befa26-eee0-49ab-9785-72653943bc6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensitiveOnly\",\"label\":\"Sensitive CmdLet Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This section show all the Cmdlets executed in the selected time range. Possible filters are: \\r\\n- **VIP Only selected** Cmdlets used against VIP objects (based on the \\\"Exchange VIP\\\" watchlist)\\r\\n- **Sensitive Cmdlets** Cmdlets considered as Sensitive (based on the \\\"Monitored Exchange Cmdlets\\\" watchlist)\\r\\n\\r\\nThese informations can be useful to detect unexpected behaviors or to determine what are the action performed by the accounts (ie. service accounts).\\r\\n\\r\\nℹ️ It is recommended to delegated only the necessary privileges to an account.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdtListHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| sort by count_\",\"size\":2,\"showAnalytics\":true,\"title\":\"List of all executed cmdlets during the last 90 days (based on Sentinel retention)\",\"exportFieldName\":\"Cmdlet\",\"exportParameterName\":\"CmdletFilter\",\"exportDefaultValue\":\"\\\"\\\"\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Cmdlet\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":20}},\"customWidth\":\"45\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by CmdletName\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on CmdletName\\r\\n| project CmdletName, Total=count_, Count, Anomalies\\r\\n| sort by Total\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Cmdlet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]}},\"customWidth\":\"55\",\"name\":\"CmdletTrends\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize Total = count() by Caller\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by Caller\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on Caller\\r\\n| project Caller, Total, Count, Anomalies\\r\\n| sort by Total desc\",\"size\":1,\"showAnalytics\":true,\"exportFieldName\":\"Caller\",\"exportParameterName\":\"CallerFilter\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"125px\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"chartSettings\":{\"createOtherGroup\":20}},\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"## List of Cmdlets\\r\\n\\r\\nBy default all accounts found in the log are displayed.\\r\\n\\r\\nSelect an caller, to display all Cmdlets launched by this administrator\\r\\n\\r\\n> **Legend** \\r\\n> \\r\\n> 👑 VIP user \\r\\n> 💥 Sensitive action\\r\\n\\r\\nIf needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"008273d1-a013-4d86-9e23-499e5175a85e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CallerFilter\",\"label\":\"Caller\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| distinct Caller\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| sort by Caller asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"21bd4e45-65ca-4b9b-a19c-177d6b37d807\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TargetObjectFilter\",\"label\":\"Target Object\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct TargetObject\\r\\n| sort by TargetObject asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9e93d5c3-0fcb-4ece-b2a0-fc3ff44a0b04\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdletFilter\",\"label\":\"Cmdlet Filter\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| where (Caller in ({CallerFilter}) or Caller == \\\"ALL\\\") and TargetObject contains \\\"{TargetObjectFilter}\\\" and CmdletName contains \\\"{CmdletFilter}\\\"\\r\\n and TargetObject contains \\\"\\\"\\r\\n and CmdletName contains \\\"\\\"\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend Cmdlet = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| project TimeGenerated, Caller, TargetObject, Cmdlet, CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":2,\"showAnalytics\":true,\"title\":\"History\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActualCmdLet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"120ch\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Cmdlet\"},\"name\":\"Cmdlet Group\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityAdminActivity-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Admin Activity\\r\\n\\r\\nThis workbook helps you visualize what is happening in your Exchange environment.\\r\\nResults removed :\\r\\n\\t- All Test-* and Set-AdServerSetting Cmdlets\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3792117c-d924-4ec7-a327-1e8d5e9f291a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":14400000}},{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n| summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlet Analysis\",\"subTarget\":\"Cmdlet\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Cmdlet summary\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab parses the events from OfficeActivity logs :\\r\\n\\r\\n- list of cmdlets\\r\\n- filter on a VIP and/or Sensitive objects (based on Watchlist \\\"Exchange VIP\\\" and \\\" Monitored Exchange Cmdlets\\\")\\r\\n- anomalies detections are based on the KQL function series_decompose_anomalies\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdletGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5a942eba-c991-4b84-9a94-c153bca86e12\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VIPOnly\",\"label\":\"Show VIP Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"83befa26-eee0-49ab-9785-72653943bc6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensitiveOnly\",\"label\":\"Sensitive CmdLet Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This section show all the Cmdlets executed in the selected time range. Possible filters are: \\r\\n- **VIP Only selected** Cmdlets used against VIP objects (based on the \\\"Exchange VIP\\\" watchlist)\\r\\n- **Sensitive Cmdlets** Cmdlets considered as Sensitive (based on the \\\"Monitored Exchange Cmdlets\\\" watchlist)\\r\\n\\r\\nThese informations can be useful to detect unexpected behaviors or to determine what are the action performed by the accounts (ie. service accounts).\\r\\n\\r\\nℹ️ It is recommended to delegated only the necessary privileges to an account.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdtListHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| sort by count_\",\"size\":2,\"showAnalytics\":true,\"title\":\"List of all executed cmdlets during the last 90 days (based on Sentinel retention)\",\"exportFieldName\":\"Cmdlet\",\"exportParameterName\":\"CmdletFilter\",\"exportDefaultValue\":\"\\\"\\\"\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Cmdlet\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":20}},\"customWidth\":\"45\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by CmdletName\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on CmdletName\\r\\n| project CmdletName, Total=count_, Count, Anomalies\\r\\n| sort by Total\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Cmdlet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]}},\"customWidth\":\"55\",\"name\":\"CmdletTrends\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize Total = count() by Caller\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by Caller\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on Caller\\r\\n| project Caller, Total, Count, Anomalies\\r\\n| sort by Total desc\",\"size\":1,\"showAnalytics\":true,\"exportFieldName\":\"Caller\",\"exportParameterName\":\"CallerFilter\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"125px\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"chartSettings\":{\"createOtherGroup\":20}},\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"## List of Cmdlets\\r\\n\\r\\nBy default all accounts found in the log are displayed.\\r\\n\\r\\nSelect an caller, to display all Cmdlets launched by this administrator\\r\\n\\r\\n> **Legend** \\r\\n> \\r\\n> 👑 VIP user \\r\\n> 💥 Sensitive action\\r\\n\\r\\nIf needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"008273d1-a013-4d86-9e23-499e5175a85e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CallerFilter\",\"label\":\"Caller\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| distinct Caller\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| sort by Caller asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"21bd4e45-65ca-4b9b-a19c-177d6b37d807\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TargetObjectFilter\",\"label\":\"Target Object\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct TargetObject\\r\\n| sort by TargetObject asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9e93d5c3-0fcb-4ece-b2a0-fc3ff44a0b04\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdletFilter\",\"label\":\"Cmdlet Filter\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| where (Caller in ({CallerFilter}) or Caller == \\\"ALL\\\") and TargetObject contains \\\"{TargetObjectFilter}\\\" and CmdletName contains \\\"{CmdletFilter}\\\"\\r\\n and TargetObject contains \\\"\\\"\\r\\n and CmdletName contains \\\"\\\"\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend Cmdlet = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| project TimeGenerated, Caller, TargetObject, Cmdlet, CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":2,\"showAnalytics\":true,\"title\":\"History\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActualCmdLet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"120ch\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Cmdlet\"},\"name\":\"Cmdlet Group\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityAdminActivity-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -1727,7 +1590,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId3'),'/'))))]",
"properties": {
- "description": "@{workbookKey=MicrosoftExchangeAdminActivity-Online; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Exchange Online Admin Activity; templateRelativePath=Microsoft Exchange Admin Activity - Online.json; subtitle=; provider=Microsoft}.description",
+ "description": "@{workbookKey=MicrosoftExchangeAdminActivity-Online; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Exchange Admin Activity - Online; templateRelativePath=Microsoft Exchange Admin Activity - Online.json; subtitle=; provider=Microsoft}.description",
"parentId": "[variables('workbookId3')]",
"contentId": "[variables('_workbookContentId3')]",
"kind": "Workbook",
@@ -1785,7 +1648,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Exchange Search AdminAuditLog - Online Workbook with template version 3.1.5",
+ "description": "Microsoft Exchange Search AdminAuditLog - Online Workbook with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion4')]",
@@ -1803,7 +1666,7 @@
},
"properties": {
"displayName": "[parameters('workbook4-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Admin Audit Log\\r\\n\\r\\n** This workbook requires Option 1** (upload of the OfficeActivity logs)\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"79f1e435-df12-4c83-9967-501ab5f6ad6a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"59486bcb-db99-43b3-97dc-a63b271a91d1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n | summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"079b3cc5-dab3-4d38-b4d0-71101802949d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"9d830b00-95f4-4fd5-8cfb-95c2e63f5d0b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlets Analysis\",\"subTarget\":\"CmdletAna\",\"style\":\"link\"},{\"id\":\"944a83ef-377f-4374-83e8-46816b6ce570\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Admin Audit Log - All Admins\",\"subTarget\":\"AllAAL\",\"style\":\"link\"},{\"id\":\"cdab541f-8d91-4882-ba46-7c04cdff257b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Global Admin Audit Log Search\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e100ee8b-d63b-4c49-9004-6555b56051aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Admin\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| extend admin = Caller\\r\\n| distinct admin\\r\\n\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0d7c1223-d108-4d10-bb24-50891a3415fd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdLet\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({Admin})\\r\\n| distinct CmdletName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**How to understand the data**\\r\\n\\r\\nThese information are extracted from the OfficeActivity logs.\\r\\n\\r\\nEach entry is analyzed regarding the following conditions :\\r\\n\\r\\n - Check if the Target Object is a VIP. The VIP list is based on the watchlist \\\"Exchange VIP\\\".\\r\\n\\r\\n - Check if the Cdmlet is a Sensitive Cmdlet. The Sensitive Cmdlet list is based on the watchlist \\\"Monitored Exchange Cmdlets\\\". \\r\\n - This list contains the list of Cmdlet that are considered as Sensitive. \\r\\n - Some Cmdlet will be considered as Sensitive only if some specific parameters defined in the \\\"Monitored Exchange Cmdlets\\\" watchlist are used.\\r\\n\\r\\nColumn explainatations : \\r\\n - Caller : Named of the Administrators that used this cmdlet\\r\\n - TargetObject : Object modified by the cmdlet\\r\\n - IsVIP : If the Target Object part of the \\\"Exchange VIP\\\" watchlist\\r\\n - Cmdlet : Name of the cmdlet that was used\\r\\n - CmdletParameters : Cmdlet parameters used with the command\\r\\n - IsSensitive :\\r\\n - true : This cmdlet is Sensitive because it was part of the list of the \\\"Monitored Exchange Cmdlets\\\" watchlist and Sensitive parameters have been used for cmdlet with specifc sensitive parameters \\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where Caller in ({Admin}) and CmdletName in ({CmdLet})\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend CmdletName = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| extend IsSensitive = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",tostring(IsSenstiveCmdlet)), tostring(IsSenstiveCmdlet))\\r\\n| project TimeGenerated, Caller,IsVIP,TargetObject,IsSensitive,CmdletName,CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"AllAAL\"},\"name\":\"Global Admin Audit Log\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Analysis of Administrators actions\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Total Cmdlets for the Time Range\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller\\r\\n| extend CmdletName\\r\\n| summarize Count=count() by CmdletName\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=dcount(CmdletName) by Account,CmdletName\",\"size\":2,\"showAnalytics\":true,\"title\":\"Total Unique Cmdlet per Account for the Time Range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Account\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| summarize Count=count() by CmdletName\\r\\n| sort by CmdletName asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total List of Cmdlets\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=count() by CmdletName, Account\\r\\n| sort by Count asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"List of Cmdlet per Account\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displayed the list of Cmdlet used in your environment for the defined period of time with the number of time they have been used.\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section will display the list of Cmdlet launch by Administrators for the defined period of time and the number of time they have been used\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 3\"}]},\"name\":\"Result Analysis\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CmdletAna\"},\"name\":\"Analysis of actions performed\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\nThe goals of this workbook is to allow search in the Exchange Admin Audit log.\\r\\n\\r\\nThe source of this workbook is not an export of the Admin Audit log mailbox but an export of the MSExchange Management for each Exchange servers.\\r\\n\\r\\nIf the Admin Audit Log is bypassed, the information won't be displayed in this workbook as there is no method to track this data.\\r\\n\\r\\n## Tabs\\r\\n\\r\\nLet quicly review the content of each tab\\r\\n\\r\\n### Cmdlets Analysis\\r\\n\\r\\nThis tab will show for the defined time range :\\r\\n - A summary of all cmdets used\\r\\n\\r\\n - A summary of all cmdlets used by each Account\\r\\n\\r\\n### Global Admin Audit Log\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\\r\\n\\r\\n\\r\\n### AdminAuditLog for Org Mgmt\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content for only account members on the Organization Management groups.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"group - 5\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSearchAdminAuditLog-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Admin Audit Log\\r\\n\\r\\n** This workbook requires Option 1** (upload of the OfficeActivity logs)\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"79f1e435-df12-4c83-9967-501ab5f6ad6a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"59486bcb-db99-43b3-97dc-a63b271a91d1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n | summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"079b3cc5-dab3-4d38-b4d0-71101802949d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"9d830b00-95f4-4fd5-8cfb-95c2e63f5d0b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlets Analysis\",\"subTarget\":\"CmdletAna\",\"style\":\"link\"},{\"id\":\"944a83ef-377f-4374-83e8-46816b6ce570\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Admin Audit Log - All Admins\",\"subTarget\":\"AllAAL\",\"style\":\"link\"},{\"id\":\"cdab541f-8d91-4882-ba46-7c04cdff257b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Global Admin Audit Log Search\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e100ee8b-d63b-4c49-9004-6555b56051aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Admin\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| extend admin = Caller\\r\\n| distinct admin\\r\\n\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0d7c1223-d108-4d10-bb24-50891a3415fd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdLet\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({Admin})\\r\\n| distinct CmdletName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**How to understand the data**\\r\\n\\r\\nThese information are extracted from the OfficeActivity logs.\\r\\n\\r\\nEach entry is analyzed regarding the following conditions :\\r\\n\\r\\n - Check if the Target Object is a VIP. The VIP list is based on the watchlist \\\"Exchange VIP\\\".\\r\\n\\r\\n - Check if the Cdmlet is a Sensitive Cmdlet. The Sensitive Cmdlet list is based on the watchlist \\\"Monitored Exchange Cmdlets\\\". \\r\\n - This list contains the list of Cmdlet that are considered as Sensitive. \\r\\n - Some Cmdlet will be considered as Sensitive only if some specific parameters defined in the \\\"Monitored Exchange Cmdlets\\\" watchlist are used.\\r\\n\\r\\nColumn explainatations : \\r\\n - Caller : Named of the Administrators that used this cmdlet\\r\\n - TargetObject : Object modified by the cmdlet\\r\\n - IsVIP : If the Target Object part of the \\\"Exchange VIP\\\" watchlist\\r\\n - Cmdlet : Name of the cmdlet that was used\\r\\n - CmdletParameters : Cmdlet parameters used with the command\\r\\n - IsSensitive :\\r\\n - true : This cmdlet is Sensitive because it was part of the list of the \\\"Monitored Exchange Cmdlets\\\" watchlist and Sensitive parameters have been used for cmdlet with specifc sensitive parameters \\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where Caller in ({Admin}) and CmdletName in ({CmdLet})\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend CmdletName = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| extend IsSensitive = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",tostring(IsSenstiveCmdlet)), tostring(IsSenstiveCmdlet))\\r\\n| project TimeGenerated, Caller,IsVIP,TargetObject,IsSensitive,CmdletName,CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"AllAAL\"},\"name\":\"Global Admin Audit Log\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Analysis of Administrators actions\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Total Cmdlets for the Time Range\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller\\r\\n| extend CmdletName\\r\\n| summarize Count=count() by CmdletName\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=dcount(CmdletName) by Account,CmdletName\",\"size\":2,\"showAnalytics\":true,\"title\":\"Total Unique Cmdlet per Account for the Time Range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Account\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| summarize Count=count() by CmdletName\\r\\n| sort by CmdletName asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total List of Cmdlets\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=count() by CmdletName, Account\\r\\n| sort by Count asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"List of Cmdlet per Account\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displayed the list of Cmdlet used in your environment for the defined period of time with the number of time they have been used.\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section will display the list of Cmdlet launch by Administrators for the defined period of time and the number of time they have been used\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 3\"}]},\"name\":\"Result Analysis\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CmdletAna\"},\"name\":\"Analysis of actions performed\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\nThe goals of this workbook is to allow search in the Exchange Admin Audit log.\\r\\n\\r\\nThe source of this workbook is not an export of the Admin Audit log mailbox but an export of the MSExchange Management for each Exchange servers.\\r\\n\\r\\nIf the Admin Audit Log is bypassed, the information won't be displayed in this workbook as there is no method to track this data.\\r\\n\\r\\n## Tabs\\r\\n\\r\\nLet quicly review the content of each tab\\r\\n\\r\\n### Cmdlets Analysis\\r\\n\\r\\nThis tab will show for the defined time range :\\r\\n - A summary of all cmdets used\\r\\n\\r\\n - A summary of all cmdlets used by each Account\\r\\n\\r\\n### Global Admin Audit Log\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\\r\\n\\r\\n\\r\\n### AdminAuditLog for Org Mgmt\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content for only account members on the Organization Management groups.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"group - 5\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSearchAdminAuditLog-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -1876,7 +1739,7 @@
"defaultDuration": "P1000Y",
"contentType": "Text/Csv",
"numberOfLinesToSkip": 0,
- "itemsSearchKey": "userPrincipalName",
+ "itemsSearchKey": "sAMAccountName",
"rawContent": "displayName,sAMAccountName,userPrincipalName,comment\r\n\"2016DB1 User1\",\"2016DB1-User1\",\"2016DB1-User1@MyCompany.com\",\r\n"
},
"apiVersion": "2021-03-01-preview"
@@ -1886,12 +1749,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.1.5",
+ "version": "3.1.6",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Microsoft Exchange Security - Exchange Online",
"publisherDisplayName": "Community",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Parsers: 6, Workbooks: 4, Watchlists: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Parsers: 5, Workbooks: 4, Watchlists: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -1945,11 +1808,6 @@ "contentId": "[variables('parserObject5').parserContentId5]", "version": "[variables('parserObject5').parserVersion5]" }, - { - "kind": "Parser", - "contentId": "[variables('parserObject6').parserContentId6]", - "version": "[variables('parserObject6').parserVersion6]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", @@ -1973,7 +1831,7 @@ { "kind": "Watchlist", "contentId": "[variables('_Exchange Online VIP')]", - "version": "3.1.5" + "version": "3.1.6" } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json index 39020c8111b..a1e9f9bdb6e 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json @@ -39,7 +39,7 @@ }, "workbook3-name": { "type": "string", - "defaultValue": "Microsoft Exchange Online Admin Activity", + "defaultValue": "Microsoft Exchange Admin Activity - Online", "minLength": 1, "metadata": { "description": "Name for the workbook" diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml deleted file mode 100644 index f242d0c9b16..00000000000 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: 9f0e2122-f511-4e51-83a0-51fbd86d3121 -Function: - Title: Parser for VIP Check for Exchange - Version: '1.0.0' - LastUpdated: '2023-11-01' -Category: Microsoft Sentinel Parser -FunctionName: MESCheckVIP -FunctionAlias: MESCheckVIP -FunctionParams: - - Name: UserToCheck - Type: string - Description: The user to verifiy if is a VIP or not. Default value is "all". - Default: 'All' -FunctionQuery: | - //let UserToCheck = "SampleEntry"; - let _UserToCheck = iif(UserToCheck == "" or UserToCheck == "All","All",tolower(UserToCheck)); - let fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [ - "NONE","NONE","NONE","NONE","00000001-0000-1000-0000-100000000000","NONE","NONE"]; - let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != "00000001-0000-1000-0000-100000000000" | project-away TableName; - let SearchUser = Watchlist | where _UserToCheck =~ canonicalName - or _UserToCheck =~ displayName - or _UserToCheck =~ userPrincipalName - or _UserToCheck =~ sAMAccountName - or _UserToCheck =~ objectSID - or _UserToCheck == tostring(objectGUID) - or _UserToCheck =~ distinguishedName - or _UserToCheck == "All" - | extend ValueChecked = iif(_UserToCheck=="All",strcat("#",displayName,"#",userPrincipalName,"#",sAMAccountName,"#",objectGUID,"#",objectSID,"#",distinguishedName,"#"),_UserToCheck); - SearchUser \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml index 8f5b3cd4e4c..7aded9f868b 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml @@ -1,8 +1,8 @@ id: 39f51672-8c63-4600-882a-5db8275f798f Function: Title: Parser for MRA Configuration Data Comparison - Version: '1.0.0' - LastUpdated: '2024-02-25' + Version: '1.1.0' + LastUpdated: '2024-08-30' Category: Microsoft Sentinel Parser FunctionName: MESCompareDataMRA FunctionAlias: MESCompareDataMRA @@ -36,8 +36,8 @@ FunctionParams: Description: List of actors to exclude. Default value is "dynamic('')". Default: dynamic('') FunctionQuery: | - // Version: 1.0.0 - // Last Updated: 25/02/2024 + // Version: 1.1.0 + // Last Updated: 30/08/2024 // // DESCRIPTION: // This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them. @@ -84,14 +84,14 @@ FunctionQuery: | and CmdletResultValue.Name !contains "Deleg" | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") - | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope) - | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope) + | extend CustomRecipientWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope)) + | extend CustomConfigWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope)) | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) | extend Status= tostring(CmdletResultValue.Enabled) - | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6", "Delegating", "Regular") + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) | extend Role = tostring(CmdletResultValue.Role) | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) @@ -103,8 +103,8 @@ FunctionQuery: | and CmdletResultValue.Name !contains "Deleg" | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") - | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope) - | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope) + | extend CustomRecipientWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name)) + | extend CustomConfigWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope)) | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) @@ -112,6 +112,7 @@ FunctionQuery: | | extend Status= tostring(CmdletResultValue.Enabled) | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) ; let i=0; diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md index 46169e80260..fa0469c1ecf 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md @@ -164,12 +164,13 @@ If you need to test the parser execution without saving it as a function, add th ### Parser Definition - Title: Microsoft Exchange Compare Data MRA Parser -- Version: 1.0.0 -- Last Updated: 25/02/2024 +- Version: 1.1.0 +- Last Updated: 30/08/2024 - Description: This parser compare data from MRA and ESI Exchange Collector to find differences |**Version** |**Details** | |---------|-----------------------------------------------------------------------------------------------------------------------| +|v1.1 |